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Abstract 

Consider the general scenario where AUce wishes to transmit a message m to Bob. These two 
players share a communication channel; however, there exists an adversary, Carol, who aims to prevent 
the transmission of m by blocking this channel. There are costs to send, receive or block m on the 
channel, and we ask: How much do Alice and Bob need to spend relative to the adversary Carol in 
order to guarantee transmission of ml 

This problem abstracts many types of conflict in information networks including: jamming attacks 
in wireless sensor networks (WSNs) and distributed denial-of-service (DDoS) attacks on the Internet, 
where the costs to Alice, Bob and Carol represent an expenditure of energy or network resources. The 
problem allows us to quantitatively analyze the economics of information exchange in an adversarial 
setting and ask: Is communication cheaper than censoring communication? 

We answer this question in the affirmative. Specifically, in a time-slotted network with constant 
costs to send, receive and block m in a slot, if Carol spends a total of B slots trying to block m, then 
both Alice and Bob must be active for only 0{B'^^^ + 1) = 0{B-^^ + 1) slots in expectation to 
transmit m, where ip = {1 -\- a/5)/2 is the golden ratio. Surprisingly, this result holds even if (1) B 
is unknown to either player; (2) Carol knows the algorithms of both players, but not their random bits; 
and (3) Carol can attack using total knowledge of past actions of both players. 

In the spirit of competitive analysis, approximation guarantees, and game-theoretic treatments, our 
approach represents another notion of relative performance that we call resource competitiveness. This 
new metric measures the worst-case performance of an algorithm relative to any adversarial strategy 
and pertains to scenarios where all network devices are resource-constrained. Here, we apply the 
resource-competitive results above to two concrete problems. First, we consider jamming attacks in 
WSNs and address the fundamental task of propagating rn from a single device to all others in the 
presence of faults. Second, we examine how to mitigate application-level DDoS attacks in a wired 
cUent-server scenario. 

1 Introduction 

Denial-of-service (DoS) attacks are an increasingly common threat to the availability of large-scale net- 
works. In the wireless domain, practitioners have expressed concerns that important surveillance services 
will suffer DoS attacks by the deliberate disruption of the communication medium |[T6l and there is a 
large body of literature on various practical security concerns (see II48II54II and references therein). In the 
wired domain, the distributed denial-of-service (DDoS) attacks in November of 2010 on Amazon, Visa, 
Mastercard, and PayPal |l9l|44l|68l demonstrated that even prominent companies are vulnerable over the 
Internet. Given this state of affairs, an interesting question arises: Is it fundamentally "harder" or "easier" 
to communicate in such large-scale networks than it is to block communication? 
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To analyze this question from an algorithmic perspective, we define the following simple problem, 
which we call the 3-Player Scenario: Alice wishes to guarantee transmission of a message m directly to 
Bob over a single communication channel. However, there exists an adversary Carol who aims to prevent 
communication by blocking transmissions over the channel. We consider two cases: (Case 1) when Carol 
may spoof or even control Bob, which allows her to manipulate an unwitting Alice into incurring excessive 
sending costs; and (Case 2) where Bob is both correct and unspoofable, and his communications cannot 
be blocked. Here, "cost" corresponds to a network resource, such as energy in wireless sensor networks 
(WSNs) or bandwidth in wired networks. 

In the 3-Player Scenario, we show that communication is fundamentally cheaper than preventing com- 
munication. Specifically, we describe a protocol that guarantees coiTcct transmission of m, and given that 
Carol incurs a cost of B, has the following properties. In Case 1, the expected cost to both Alice and 
Bob is 0{B^^^ + 1) where Lp is the golden ratio. In Case 2, the expected cost to both Ahce and Bob is 
0{B^-^ _l_ ly Yn both cases, Carol's cost asymptotically exceeds the expected cost of either correct player. 
We extend these results and apply them to network applications in both the wireless and wired domains. 
Here too, we provide an analysis in terms of resource expenditures by the correct network devices relative 
to those of the adversarial devices. 

1.1 Resource Competitiveness 

In many situations, it is useful to view the performance of an algorithm A in terms of its "competitiveness" 
and this notion underlies competitive analysis and approximation algorithms. In the case where A is an 
online algorithm, a standard technique is to analyze the worst-case performance A relative to an optimal 
algorithm OVT that has full information regarding the input (ie. an optimal offline algorithm). For 
an optimization problem involving the minimization of an objective function (also refened to as a cost 
function) C, which takes as input an algorithm and an instance / from the set Z of all possible inputs, we 
say that A achieves a competitive ratio of A if C{A, I) < X ■ C{OVT, I) for all / G X. This notion of 
competitive analysis was first introduced by Taijan and Sleator |[62l and it quantifies the amount by which 
A is outperformed by OVT. A closely related technique for algorithm analysis is that of establishing 
approximation guarantees. In this case, a similar definition applies with the major difference being that 
the input is fully known to ^ a priori. Both the notions of a competitive ratio and an approximation ratio 
allow us to measure performance relative to an optimal algorithm under worst-case inputs which are often 
thought of as having been selected by an adversary. 

A related metric is offered by game theory II51H59II . Devices (or players) are assumed to be autonomous 
and governed by self-interested but rational behaviour. Here, the notion of the "price of anarchy" is the 
ratio of the worst-case Nash equilibrium to the global social optimum. For a system where each rational 
player acts to minimize their own respective cost function (or maximize their respective payoff function), 
the price of anarchy gauges the competitiveness of this system relative to the ideal scenario where all 
players act unselfishly to minimize global cost. 

The approach taken in this paper provides a new notion of "competitiveness" for an n-player system 
that we call resource competitiveness. Each player pi is classified as either correct, if its actions are 
prescribed by an algorithm A, or faulty otherwise; let P is the set of con^ect players and F be the set of 
faulty players. The faulty players may collude and coordinate their attacks; therefore, we may view the 
players in F as being controlled by a single adversary. Let Ci denote the resource expenditure (or cost) to 
a player p,. If pi is correct, then Cj is the cost incurred by the actions prescribed by A. Otherwise, pi is 
faulty and Ci is the cost incuiTcd by pursuing an arbitrary strategy. The full memberships of P and F are 
not necessarily known to A a priori and may be, in part, selected adversarially. 

Given this notation, our most general formulation of resource competitiveness is as follows. We say 
that algorithm A is p-resource-competitive if p-g{{Ci}p^ g p) < a{{Cj}p_. ^ p) for any strategy employed 
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by the adversary and where g{-) and a(-) are functions that take as input the set of costs for the the 
con^ect and faulty players, respectively. We call the parameter p the resource-competitive ratio and it 
measures the ratio g{-) to a{-). As a concrete example, in this paper, g{-) outputs the maximum resource 
expenditure by any correct player, and a(-) outputs the sum total resource expenditure by the faulty players 
B = J2pj e F^j- Therefore, we may rewrite our definition as: p ■ max^. g p{Ci} < B. In this case, 
p measures the ratio of the sum total resource expenditure by the adversary to the maximum resource 
expenditure by any correct player; a large p is desirable. 

The generality of our definition allows us to capture the notion of "fairness" or "relative load-balancing". 
In this work, our definition of g{-) motivates algorithms where it is important to minimize the worst-case 
cost to any single coiTcct player. However, one can imagine cases where the sum total cost incuiTcd by the 
correct players is the primary concern. Alternatively, it may be the case that the adversary is constrained 
such that the worst-case cost to any faulty player is a more suitable metric; for example, if the adversary 
wishes to maximize the lifetime of all faulty devices in a network where energy is scarce such as in a 
wireless sensor network. 

1.2 Practical Aspects of Resource Competitiveness 

As is often done with competitive ratios and approximation ratios, we will abuse the "<" notation in 
our definition of resource competitiveness by presenting p in terms of asymptotic notation when stating 
our results. In the case of an approximation ratio, this implies that the guarantee holds for sufficiently 
large problem instances. If approximation algorithms are being employed, they are typically used on 
optimization problems of large size and, therefore, the constant hidden within the asymptotic notation 
may not be a critical concern. In the case of resource competitiveness, the situation requires a little more 
consideration. Certainly, as B goes to infinity, all players enjoy an advantage over the adversary. However, 
due to the constants inside the asymptotic notation, it is possible that up to a threshold value for B the 
adversary is actually incurring less cost than some (or maybe all) of the correct players. 

Given this situation, can the adversary simply launch "small" attacks? That is, what if the adversary 
attacks in a way that never to exceeds the threshold value and, therefore, forces at least one coiTcct player 
to spend more. If this occurs, it is critical to note that the amount of disruption caused by the adversary 
is also limited. In the context of the communication problems considered in this work, this implies that 
the duration for which the adversary may delay communication is limited. That is, the adversary cannot 
both (i) force the correct players to spend more resources and (ii) prevent the correct players from commu- 
nicating for long periods of time. More generally, the adversary cannot force the coiTcct players to incur 
greater cost while also preventing the successful termination of A for a duration of time that depends on 
the constants involved. For our purposes, this means that the network throughput will be relatively high 
given that the constants inside the asymptotic notation are tolerable. We argue that, in the context of our 
applications, this is the case. 

In the wireless setting, our cost is measured as the number of time slots for which the device is in 
an active state (ie. sending or listening). Notably, each slot is on the order of milliseconds. Even if the 
adversary never incurs a large resource expenditure in attempting to block communication, the battery 
on a wireless device will permit activity over large number of time slots and so permit the successful 
transmission of many messages before it expires. Therefore, the adversary can pursue a strategy of using 
small amounts of disruption in order to force a low value for p, but it will not achieve its aim of preventing 
communication. In the case of DDoS attacks in wired networks, where cost is measured in bandwidth, the 
actual bandwidth values in practice are on the order of megabits; therefore, this constant does not seem 
problematic. The adversary may opt to use far less bandwidth in its attacks; however, again, this does not 
result in a very effective DDoS attack. 

This new metric of resource competitiveness differs from other prominent approaches to several cru- 
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cial ways. First, resource competitiveness measures the performance of an algorithm relative to the per- 
formance of an adversary rather than some global optimum. Specifically, unlike competitive analysis or 
approximation guarantees that are concerned with worst-case input instances (perhaps selected by an ad- 
versary), resource-competitiveness applies to situations where an adversary is truly present in the system 
rather than, for example, serving as an abstract representation of detrimental environmental effects. Sec- 
ond, while we still deal with players, each player either obeys a specified protocol (ie. is a con^ect player) 
or behaves in a faulty manner. In the latter case, this behaviour is assumed to be coordinated by an ad- 
versary and, in the worst case, we may consider faulty players to be pursuing arbitrary strategies; this is 
in contrast to the rational players assumed by game-theoretic approaches. Critically, we point out that for 
systems of n players, our definition places no bounds on the number of faulty players. 

We feel that resource-competitive analysis is relevant to the area of fault-tolerant distributed computing 
where all players are resource-constrained. This notion incorporates the spirit of relative performance that 
underlies competitive analysis, approximation algorithms, and game theory. Furthermore, resource com- 
petitiveness captures an economic flavor while allowing for non-rational, and even malicious, behaviour 
by players. In this work, we obtain resource-competitive algorithms for fundamental scenarios regarding 
communication between a single sender and a single receiver, as well as between a single sender and mul- 
tiple receivers. However, we believe that resource-competitive analysis will prove useful for analyzing a 
number of other distributed computing problems and we consider this in Section [5] 

1.3 The 3-Player Scenario 

We now describe the model parameters of the 3-Player Scenario. 

Las Vegas Property: Communication of m from Alice to (a correct) Bob must be guaranteed with proba- 
bility 1; that is, we require a Las Vegas protocol for solving the 3-Player Scenario. An obvious motivation 
for this Las Vegas property is a critical application, such as an early warning detection system or the dis- 
semination of a crucial security update, where minimizing the probability of failure is paramount. The Las 
Vegas property has additional merit in multi-hop WSNs where Monte Carlo algorithms may not be able to 
achieve a sufficiently low probability of error; we expand on this in Section [3.6.3[ 

Channel Utilization: Sending or listening on the communication channel by Alice and Bob is measured 
in discrete units called slots. For example, in WSNs, a slot may correspond to an actual time slot in a time 
division multiple access (TDMA) type access control protocol. The cost for sending or listening is S or 
L per slot, respectively. When Carol blocks a slot, she disrupts the channel such that no communication 
is possible; blocking costs J per slot. If a slot contains traffic or is blocked, this is detectable by a player 
who is listening at the receiving end of the channel, but not by the originator of the transmission. For 
example, a transmission (blocked or otherwise) from Bob to Alice is detectable only by Alice; likewise, a 
transmission (blocked or otherwise) from Alice to Bob is detectable only by Bob. A player cannot discern 
whether a blocked slot has disrupted a legitimate message; only the disruption is detectable. For example, 
high-energy noise is detectable over the wireless channel in WSNs, but a receiving device cannot tell if 
this results from a message collision or a device deliberately disrupting the channel. We let B be the total 
amount Carol will spend over the course of the algorithm; this value is unknown to either Alice or Bob. 
Finally, we say that any player is active in a slot if that player is sending, listening or blocking in that slot. 

Correct and Faulty Players: If Alice is faulty, there is clearly no hope of communicating m; therefore, 
Alice is assumed to be correct. Regarding the coiTcctness of Bob, in Case 1, Carol may spoof or control 
Bob; in Case 2, communications from Bob are always trustworthy. We emphasize that, in Case 1, Alice 
is uncertain about whether to trust Bob since he may be faulty. This uncertainty corresponds to scenarios 
where a trusted dealer attempts to disseminate content to its neighbors, some of whom may be spoofed 
or have suffered a Byzantine fault and used in an attempt attempt to consume resources by requesting 
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numerous retransmissions. The more benign Case 2 con^esponds to situations where communications sent 
by Bob are never disrupted and can be trusted; here, the blocking of m being sent from Alice to Bob is the 
only obstacle. 

In the context of our definition of resource-competitiveness, in Case 1 of the 3-Player Scenario we 
have Alice as a member of P. Clearly, Carol belongs to set F. In the case of Bob, there is ambiguity 
since he may belong to P or he may belong to F. Indeed, Bob's membership is assumed to be controlled 
by Carol since she decides whether to spoof Bob or control his actions (placing him in F) or do neither 
(placing him in P). Our algorithm must achieve resource competitiveness while being oblivious to Bob's 
true membership. Lastly, in Case 2, it is clear that both Alice and Bob belong to P while Carol is the sole 
member of F. 

Types of Adversary: Carol has full knowledge of past actions by Alice and Bob. This allows for adaptive 
attacks whereby Carol may alter her behaviour based on observations she has collected over time. Further- 
more, under conditions discussed in Section l2!2l Carol can also be reactive: in any slot, she may detect 
a transmission and then disrupt the communication, however, we assume that she cannot detect when a 
player is listening. This is pertinent to WSNs where the effectivess of a reactive adversary has been shown 
experimentally. 

1.4 Solving the 3-Player Scenario: Resource- Competitive Algorithms 

We analyze the cost of our algorithms as a function of B to obtain a notion of cost incurred by a player 
that is relative to the cost incurred by Carol. In devising our resource-competitive algorithms, we desire 
(but do not always perfectly achieve) two properties. 

First, we clearly favourable protocols; that is, for B sufficiently large, Alice and Bob both incur 
asymptotically less expected cost than Carol. DoS attacks are effective because a correct device is always 
forced to incur a higher cost relative to an attacker. However, if the correct players incur asymptotically 
less cost than Cai^ol, then Alice and Bob enjoy the advantage, and Carol is faced with the problem of 
having her resources consumed disproportionately in her attempt to prevent communication. 

Second, our protocol should he fair, that is, Alice and Bob should incur the same worst case asymptotic 
cost relative to the adversary. When network devices have similar resource constraints, such as in WSNs 
where devices ai^e typically battery powered, this is critical. Alternatively, in networks where a collection of 
resource-scarce devices (i.e. client machines represented by Alice) occupy one side of the communication 
channel and a single well-provisioned device (i.e. a server represented by Bob) occupies the other side, 
the aggregate cost to Alice's side should be roughly equal to that of Bob. 

Recall our definition of resource competitiveness: p ■ maxp^ ^ p{Ci} < X^p^ £ f Cj for any strategies 
used by the faulty players and for J2pj e F^j > 0. Favourability is clear from the definition and the 
degree of favourability corresponds to p. By considering the maximum cost to any of the correct players, 
the resource-competitive ratio is improved by spreading the cost equally over all players in T; therefore, 
fairness is also motivated. However, we will see results where perfect fairness is not achieved, but rather 
where the n players incur resource expenditures that are equal up to a polylogaiithmic factor in terms of n, 
or where we consider situations where a player may be disproportionately well-provisioned and, therefore, 
absorb more cost in terms of resources. We expand on this when we examine applications in Section[3]and 
Section m 

1.5 Our Main Contributions 

Throughout, let 99 = (1 + \/5)/2 denote the golden ratio. We also draw attention to the well-known 
relationship that ^ = ip — l = l/ip^ 0.62 where $ is known as the golden ratio conjugate. Our results 
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can be presented using $ rather than 99; however, for readability, we utilize throughout. We assume that 
S, L, and J are fixed constants. Our main analytical contributions are listed below. 

Theorem 1.1. Assume Carol is an adaptive adversary and that she is active for B slots. There exists a 
resource-competitive algorithm for the 3-Player Scenario with the following properties: 

• In Case 1, the expected cost to each correct player is 0{B^~^ + 1) = 0{B^'^'^ + 1). In Case 2, the 
expected cost to each correct player is 0{B^-^ + 1). 

• If Bob is correct, then transmission of m is guaranteed and each correct player terminates within 
0{B^) slots in expectation. 

In other words, we show the existence of a r2(i3°'^^)-resource-competitive algorithm for Case 1 and a 
il(i?'^-^)-resource-competitive algorithm for Case 2. In networks with sufficient traffic. Theorem 1 1.1 1 still 
holds when Cai^ol is also reactive (Section l2!2l ). We also prove that any protocol which achieves o{B^'^) 
expected cost for Bob requires more than 2B slots to terminate (Section [23] ); this lower bound has bearing 
on the worst-case u}{B) slots required by our protocol. 

We next consider a more general setting where Alice wishes to locally (single-hop) broadcast to n 
neighboring receivers of which any number are spoofed or controlled by Carol. We emphasize that we 
place no bounds on the number of faulty receivers (indeed, all of them may be in F) and their respective 
membership in P or F is known only to Carol. Unfortunately, a naive solution of having each receiver 
execute a separate instance of our 3-Player Scenario protocol fails to be remotely fair. Thus, we need a 
different algorithm to achieve the following result. 

Theorem 1.2. There exists a resource-competitive algorithm for achieving local broadcast with the fol- 
lowing properties: 

• If Carol's receivers are active for a total of B slots, then the expected cost to Alice is 0{B^~^ In n + 
In'^ n) and the expected cost to any correct receiver is 0{B'^~^ + In n). 

• Transmission of m is guaranteed and all correct players terminate within 0{{B + In"^"^ n)'^+^) 
slots (not in expectation). For B > In"^"^ n, this is within an 0{B'^ )-f actor of the optimal latency. 

Therefore, Theorem ll.2l proves the existence of a J7(i?*'-^^)-resource-competitive algorithm for the case of 
single sender and n receivers; this algorithm is fair up to polylogaiithmic factors. This result also holds for 
a reactive adversary, assuming a sufficient level of non-critical network traffic. Since the adversary may 
simply jam for the first B slots, it is impossible to achieve communication in less than B -\- 1 slots; it is 
this value to which we refer when speaking of the optimal latency. 

Our last two theorems involve the application of our previous resource-competitive results to WSNs 
and wired networks, respectively. Reliable broadcast in multi-hop WSNs deals with conveying m from 
one node to all other nodes in the network. We make the standard assumptions that any node p can be 
heard by the set of neighboring nodes in the topology, N{p) and that, for any p, at most t nodes in N{p) 
suffer a fault llT2l[T3ll37l . We analyze the grid model using the result of Bhandari and Vaidya llT3l . and 
general graphs using the Certified Propagation Protocol (CPA) protocol of Pelc and Peleg |[52l . 

Theorem 1.3. For each correct node p, assume the t nodes in N{p) are Byzantine and can be used by 
Carol to disrupt p's communications for /3 < Bq time slots where Bq is a known positive value. Then, for 
(3 sufficiently large, using the local broadcast protocol of Theorem U .2\ each correct node incurs a cost of 
o(/3) while achieving reliable broadcast under the following topologies: 

• In the grid with the optimal fault tolerance t < (r/2)(2r + 1). 
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• In any graph, assuming that (a) t is appropriately bounded such that CPA achieves reliable broad- 
cast and (b) the topology and location of the dealer is known to all correct nodes. 

To the best of our knowledge, all previous reliable broadcast protocols require each correct node to spend 
more energy in attempting communication than that spent in total by adversarial nodes. Specifically, 
in |[T5l where address spoofing and collision detection are considered, each correct node is required to 
be active for Bq + 1 slots. Our results are the first to achieve favourability and, importantly, the first to 
account for the significant cost of listening to the wireless channel. While favourability is achieved only for 
(3 = u}{t\B.^^^ t) (see Section [3. 6.2l for the analysis), smaller values of /3 imply that the adversary cannot 
delay reliable broadcast for very long and that the cost of this interference to correct players is tolerable. 
This aligns with our discussion in Section [TTl regarding the trade-off between throughput and p. 

We note that the above result requires that the number of faulty nodes is bounded. This does not 
contradict our definition of resource competitiveness which places no bounds on the cardinality of F. 
Rather, this constraint on the relationship between the topology and the number of faulty nodes arises out 
of this particular appUcation of our resource-competitive algorithms (and it is made by all previous works 
on the topic of reliable broadcast in this setting). That is, we distinguish between our resource-competitive 
results, used in our applications as primitives, and the applications of these primitives. 

Finally, Theorem 11.41 is an application of Case 2 of Theorem 11.11 to the wired client-server scenario 
where Carol represents any number of malicious clients engaging in an application-level DDoS attack on 
a server. 

Theorem 1.4. Assume Carol commits her DDoS attack using a bandwidth R. Then, zero throughput is 
avoided if the expected aggregate bandwidth (upstream or downstream bits per second) of both the clients 
and the server is G = 0{R^'^), and the probability of a serviced request is Gj (G + R). 

Therefore, against a server defended by our protocol, Carol must incur additional monetary costs in order 
to procure the number of machines necessary for sustaining the level of attack that she would otherwise 
achieve. Also, we note that in this apphcation, constraints on the cardinality of F are not necessary. 

1.6 Related Work 

Jamming Attacks in WSNs: Several works addressing applied security considerations demonstrate that 
devices in a WSN are vulnerable to adversarial jamming ||3l|8l|4T]|73| where the adversary deliberately 
disrupts the communication medium. Defenses include spread spectrum techniques (frequency or channel 
hopping), mapping with rerouting, and others (see B3ll491l72ir73l and references therein). Recent applied 
work by Ashraf et al. H investigates a similar line of reasoning by examining ways in which multi-block 
payloads (each block in a packet has its own cyclic redundancy code), so-called "look-alike packets", and 
randomized wakeup times for receivers can be used to force the adversary into expending more energy 
in order to jam transmissions. The authors' approach is interesting and the use of look-alike packets to 
prevent an adversary from being able to differentiate between different types of nework traffic is similar to 
our approach to foiling reactive jammers (see Section l2!2l ). However, on the whole, their approach is quite 
different from our own; moreover, it appears that the authors of |!4| do not provide analytical results. 

There are a number of theoretical results on jamming adversaries; however, none explicitly accounts 
for listening costs and there is no notion of favourability. Closely related work by Gilbert et al. |[27l 
examinse the duration for which communication between two players can be disrupted in a model with 
collision detection in a time-slotted network against an adversary who interferes with an unknown number 
of transmissions. As we do here, the authors assume channel traffic is always detectable at the receiving 
end (i.e. silence cannot be "forged"). The authors employ the notion of jamming gain which is, roughly 
speaking, the ratio of the duration of the disruption to the adversarys cost for causing such disruption. 
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This is an interesting metric which can gauge the efficiency of the adversary's attack; however, it does not 
incorporate the cost incuiTcd by the correct players in the system. Pelc and Peleg |[53l examine an adversary 
that randomly corrupts messages; we do not require the adversary to behave randomly. Awerbuch et 
al. IS give a jamming-resistant MAC protocol in a single-hop network with an adaptive, but non-reactive, 
adversary. Richa et al. |[58l significantly extend this work to multi-hop networks. Dolev et al. |[2T1l address 
a variant of the gossiping problem when multiple channels are jammed. Gilbert et al. ll26l derive bounds 
on the time required for information exchange when a reactive adversary jams multiple channels. Meier et 
al. H6l examine the delay introduced by a jamming adversary for the problem of node discovery, again 
in a multi-channel setting. Dolev et al. 1221 address secure communication using multiple channels with 
a non-reactive adversary. Recently, Dolev et al. ll20l consider wireless synchronization in the presence of 
a jamming adversary. We refer the reader to the survey by Young and Boutaba [76j for a more in-depth 
review of this area. 

A distinguishing feature of our results is that in all of these previous works, the notion of cost relative 
to the adversary is virtually ignored. The work that comes closest to our approach is that of Gilbert et 
al. ll27l in their consideration of jamming gain which is roughly defined as the ratio of the duration of the 
disruption to the adversary's cost for causing the disruption. However, this is very different from resource 
competitiveness which involves a comparison of the correct players' cost to that of the adversary. Another 
significant difference between our work and those previous is that our notion of cost incorporates both 
sending and listening costs, the latter of which has been lai^gely overlooked. Surprisingly, listening costs 
are substantial. For example, the send and listen costs for the popular Telos motes |[55l are 38mW and 
35mW, respectively, and these are the dominant costs for an active device. A similar relationship between 
the send and listen costs holds for the well-known MICA family of devices II17[|18I . 

There have also been a number of game-theoretic treatments of wireless jamming. We refer the inter- 
ested reader to the survey by Manshaei et al. fl3]| for a comprehensive treatment of this area. In comparing 
game-theoretic approaches to our work here, there is common ground in capturing the economics of a 
system involving multiple players. Another shared trait is that a relative "cost" or resource expenditure. 
However, as discussed in Section II. 1[ a major differentiating feature of our model is that here we do not 
assume that all players are rational. Instead, we differentiate between those players that obey a prescribed 
strategy (dictated by a distributed algorithm) and those that may pursue an arbitrary strategy. The former 
model is well-suited to situations where the agents are completely autonomous and behave indifferently of 
each other, but not adversaiially, to minimize their respective individual costs. The latter model addresses 
systems where agents are not completely autonomous, but are rather coordinated by a single administrative 
entity, and truly adversarial behaviour is present. 

Reliable Broadcast: Reliable broadcast has been extensively studied in the grid model lfT0l[T2Ul4l[34l 
[35l[37l|62l. Listening costs ai-e accounted for by King et al. |[34l[35l but jamming adversaries are not 
considered; however, the authors introduce the Bad Santa problem which we use to achieve a lower bound 
result in Section [231 With a reactive jamming adversary, Bhandhari et al. ifTSTi give a reliable broadcast 
protocol when the amount of jamming is bounded and known a priori; however, correct nodes must expend 
considerably more energy than the adversary. Progress towards fewer broadcasts is made by Bertier et 
al. lOn ; however, each node spends significant time in the costly listening state. Alistarh et al. HI assume 
collision detection and achieve non-cryptographic authenticated reliable broadcast. They apply their result 
to the grid model with a reactive jamming adversary and also make use of the "unforgeability of silence" 
inti'oduced in 127] ; however, their algorithm, like previous algorithms for the grid, require that devices 
incur considerable listening costs. 

Application-Level DDoS Attacks: At the application layer, DDoS attacks typically involve attackers mas- 
querading as legitimate clients by sending a large volume of proper requests with the aim of overwhelming 
the computational resources of a server. This is in contrast to flooding attacks which achieve disruption by 
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depleting the bandwidth of the network; such attacks typically require significant bandwidth and attackers 
are more easily identified due to the out-of-band traffic. Application-level DoS attacks ai^e common with 
recorded attacks on high-profile companies such as Yahoo, Amazon, CNN, eBay, and many others |[25l . 
Proposals for dealing with DDoS attacks include over-provisioning |[56l . throttling techniques Il28ll47l . 
and cunency schemes (see |l5l[3T]|69l and references therein). Here, we are focused on currency schemes, 
where the server provides service only to a client who pays in some form of currency. In [i69il . bandwidth 
is used as currency and, if the clients' aggregate bandwidth exceeds that of the attackers, then the clients 
capture server resources. Our work is complementary by delineating bounds on the expected bandwidth 
required to guarantee that the con^ect clients avoid zero throughput. 

Lastly, a preliminary version of this work appeared in ||36|]. This current version contains many algorithms, 
results, and proofs that were previously omitted. Additionally, we have greatly expanded our exposition in 
several sections in order to provide a self-contained document and provide a fuller discussion of the ideas 
that were proposed in the original work. 

2 The 3-Player Scenario Protocol 

Figure [U gives the pseudocode for our protocol called 3-Player SCENARIO PROTOCOL (3PSP). Each 
round i >2 consists of 2 phases and c is a constant to be determined later. We summarize a round i: 

• Send Phase: This phase consists of 2^^* slots. In each slot: Alice sends m with probability ~ for an 
expected total of 2('^~^)*+i slots and Bob listens with probability ^^^^^j. for an expected total of 2*"''^ slots. 

• Nack Phase: This phase consists of 2* slots. If Bob has not received m, then Bob sends a request for 
retransmission, req, for all 2* slots. This request is essentially a negative acknowledgement or a nack. 
AUce listens in each slot with probability 4/2* (note that i > 2 is required) for an expected total 4 slots. 

Termination Conditions: Termination conditions are important because Carol cannot be allowed to keep 
the players active in perpetuity while simultaneously forcing them to incur a higher cost. Bob terminates 
the protocol upon receiving m. Since Alice is not spoofed, as discussed in Section 11.31 this termination 
condition suffices. Alice terminates if she listens to a slot in the Nack Phase which is not blocked and does 
not contain req message; since blocked slots are detectable by Alice (who is on the receiving end of a 
req message) while listening (Section [Oi l, this condition suffices. That is, Alice continues into the next 
round if and only if (1) Alice listens to zero slots or (2) all slots listened to by Alice in the Nack Phase 
contain a blocked slot or req. We highlight the two situations where this condition is met: 

• Send Failure: Bob is correct and has not received m. 

• Nack Failure: Bob is faulty and sends reqs, or Bob is correct and terminated and Carol either spoofs 
reqs or blocks slots in order to trick Alice into thinking a valid req was indeed sent and/or blocked. 

Nack Failures and Cases 1 & 2: Note that an "acknowledgement" occurs via silence in at least one slot 
in the Nack Phase. We say an Nack Failure occurs when Carol blocks for all slots in the Nack Phase. 

In Case 1, a Nack Failure corresponds to a critical attack that can be employed in Nack Phase after 
the delivery of m. Carol can avoid the listening costs in the Send Phase, and then drain Alice's energy by 
making it appear as if Bob repeatedly did not receive in and is requesting a retransmission in the Nack 
Phase. This attack affects Alice only. Note that if Bob is actually correct, the attack is only effective once 
m is received since, if a correct Bob has not received m, a req will be issued anyway and the attack 
accomplishes nothing. 

In Case 2, no blocking occurs in the Nack Phase and, therefore, no Nack Failure can occur. In fact, 
in Case 2, the Nack Phase can be shortened to a single slot where Bob sends his req and Alice listens; 
however, this does not change our cost analysis and our current presentation is more general. 
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3-Player Scenario Protocol for round i > 2 
Send Phase: For each of the 2^* slots do 

• Alice sends m with probability 2/2*. 

• Bob listens with probability 2/2^'^"^)*. 

If Bob received the message, then Bob terminates. 
Nack Phase: For each of the 2* slots do 

• Bob sends a req message. 

• Alice listens with probability 4/2*. 

If Alice listened to a slot in the Nack Phase where no req message or blocking 
was detected, she terminates. 

Figure 1: Pseudocode for 3-Player Scenario Protocol. 
2.1 Analysis of the 3-Party Scenario Protocol 

For a given round, we say it is a s end-blocking round if Carol blocks at least half of the slots in the Send 
Phase; otherwise, it is a non-send-blocking round. Similarly, a nack-blocking round is a round where 
Carol blocks or spoofs req messages from Bob in at least half the slots in the Nack Phase; otherwise, it 
is non-nack-blocking. Throughout, assume ceilings on the number of active slots of a player if it is not an 
integer. 

Bounds on c: Clearly, c > 1 or Bob's listening probability in the Send Phase is nonsensical. For Case 1, 
note that if c > 2, then the expected cost to Alice is at least as much as the expected cost to a potentially 
faulty/spoofed Bob. If Bob happens to be faulty/spoofed, then the cost to him for a Nack Failure is less 
than the expected cost to Alice since a faulty/spoofed Bob will simply not listen in the Send Phase; as 
discussed above, we must avoid this since it admits a draining attack against Alice. Therefore, we have 
1 < c < 2. For Case 2, since Bob is guaranteed to be correct, the acceptable range is 1 < c < 2. 

Lemma 2.1. Consider a non-send-blocking round of 3-Player Scenario PROTOCOL. The probability 
that a correct Bob does not receive the message from Alice is less than e~^. 

Proof. Let s = 2^^* be the number of slots in the Send Phase. Let pA be the probability that Alice sends 
in a particular slot. Let be the probability that Bob listens in a particular slot. Let Xj = 1 if the 
message is not delivered from Alice to Bob in the j*'' slot. Then Pr[ m is not delivered in the Send 
Phase] =Pr[XiX2 ■■■Xs = l]=Pr[Xs = 1 | X1X2 ■ ■ ■ X^-i = 1] • Oti P^i^i = !]■ Let qj = 1 if Carol 
does not block in slot j; otherwise, let qj = 0. The value of qj can be selected arbitrarily by Carol. Then 
Pr[Xi = 1 I X1X2 • • • Xi^i = 1] = 1 —pAPsqj and substituting for each conditional probability, we have 
Pr[XiX2 ■■■Xs = l] = (l-pAPsqi) ■ ■ ■ (l-pAPBqs) = UUi(^ - PAPsqj) < 6"^^^^^"^=^'^^ < e'^ 
since pAPBEj=i9i > (2/2*)(2/2('=-i)*)(s/2) = (2/2*)(2/2(^~i)*)(2^72) = 2 since the round is not 
send-blocking and so Carol blocks less than s/2 slots. □ 

Note that Lemma [ZT] handles adaptive (but not reactive) adversaries. A simple but critical feature of 
tolerating adaptive adversaries is that the probability that a player is active in one slot is independent from 
the probability that the player is active in another slot. Therefore, knowing that a player was active for 
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k slots in the past conveys no information about future activity. Believing otherwise is the trap of the 
well-known"Gambler's Fallacy" |[66l . For reactive adversaries, we need only modify Lemma IZT] as we do 
later. 

Lemma 2.2. Assume that Bob is correct and there are no send-blocking rounds and no nack-blocking 
rounds. Then, the expected cost of each player is 0{S + L) = 0(1). 

Proof. Using Lemma the expected cost to AUce is at most X]£2 e"^^*"^) • (2 • 2(''-^)* • 5 + 4 • L) 
< E£2(e'"^ • S + e2-2^ .Ai.L) = {e'.S- YZ2 ^"0 + (e^ • 4 • L • YZ2 = 0{S + L) = 0(1). 
Similarly, the expected cost to Bob is at most YZ^2 e"^^*"^) • (2'+^ • L + 2* • 5) < X]»=2 (e^"* • L + e^'' ■ S) 
= 0{S + L) = 0(1) since 5 and L are constants. □ 

Now consider when attacks may occur in the Nack Phase: 

Lemma 2.3. Assume that Bob has received m by round i and that round i is non-nack-blocking. Then the 
probability that Alice retransmits m in round i + 1 is less than e~^. 

Proof. Let s = 2* be the number of slots in the Nack Phase and let p = 4/2* be the probability that 
Alice listens in a slot. For slot j, define Xj such that Xj = 1 if Alice does not terminate. Then Pr[ 
Alice retransmits m in round i + 1] = Pr [X1X2 ■ ■ ■ Xg = 1]. Let qj = 1 if Carol does not block in 
slot j; otherwise, let qj = 0. The qj values are determined arbitrarily by Carol. Since Alice terminates 
if and only if she listens and does not detect any activity, then Pr[Xj = 1] = (1 — pqj). Therefore, 
Pr[XiX2 ■■■Xs = l]< e~P^i=i < e-2. □ 

Lemma 2.4. Assume there is at least one send-blocking round. Then, the expected cost to Alice is 
(3(i5(c-i)/c _^ ij(c-i)) and the expected cost to a correct Bob is 0{B^ ). 

Proof. We consider Case 1 and Case 2 with regards to Bob, discussed in Section [T31 Let i > 2 be the last 
round which is send-blocking. Let j > i be the last round which is nack-blocking; if no such nack-blocking 
round exists, then assume j = 0. In Case 1, the total cost to Carol is 5 = 17(2'=* ■ J + 2^ ■ J) = 17(2^=* + 2^) 
since J is a constant. In Case 2, only send-blocking occurs and so i3 = 0(2" • J). 

Alice: We first calculate the expected cost to Alice prior to successfully transmitting m. In round i, Carol 
blocks the channel for at least 2'=Y2 slots. Using Lemma [2?n the expected cost to Alice prior to m being 
delivered is 0(2('=-i)* ■S+i-L) + g-^C^-i) • (2 • 2(^-i)(*+'=) ■S+k-L) = 0(2(^-i)* • S) = 0(2(^-i)') 
by the bounds on c and given that S and L are constants; note, this is the total cost to Alice for Case 2. 

Now, using Lemma 1231 we calculate the expected cost to Alice after delivery; this addresses nack- 
blocking rounds possible only in Case 1. By assumption, the last nack-blocking round occurs in round j 
and therefore Alice's expected cost is 0(2('=-i)^' • 5 + j • L) + ^l^i e-2(fc-i) . (2 • 2('=-i)0+'=) • 5 + fc- L) = 
0(2('=-i)-' -5) by the bounds on c. Therefore, the total expected cost to Ahce is 0(2('=-i)* •5+2('=-i)^' -S") = 
0(2('=-i)* + 2('=~i)-'). Since B = ^{2"' + 2^), this cost as a function of B is 0(S('=-i)/'= + B'^"'^^). 
Bob: Finally, assume Bob is correct. Using Lemma |2?T] Bob's expected cost prior to receiving m is 
0(2*+i • L + 2* • 5) + Y.k'=i e~^(''"^) • (2 • 2^+^ ■ L + 2*+^= • S) = 0{2' • L + 2* • 5) = 0(2*) since S and 
L are constants. Thus, the expected cost for Bob as a functionof Bis 0(5!/'=). □ 

We now give the proof for Theorem 11.11 stated in Section [T31 

Proof of Theorem In Case 1, Lemma [24] tells us that the expected cost to Alice and Bob in terms of 
B is 0{B^^'~^^/'^ + i?^'^"^)) and 0{B^/'^), respectively. Therefore, the exponents of interest which control 
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the cost to each player are (c — l)/c, c — 1, and 1/c. The value of c that should be chosen must minimize 
max{(c — l)/c, c — 1,1/c} since we are interested in fair protocols. Given that 1 < c < 2, we have 
1/c > (c — l)/c. Therefore, we solve for c in c — 1 = 1/c, this gives c = (1 + \/5)/2 which is the 
golden ratio. By Lemma |2!2] and the above argument, the expected cost to each player is 0{B'^~^ + 1). 
In Case 2, Lemma l2!4l tells us that Alice's expected cost in terms of B is ©(i?'^^^'/'^) the exponents of 
interest ai^e simply (c — l)/c and 1/c; minimizing them yields c = 2. Therefore, the cost to each player is 

Finally, define latency to be the number of slots that occur prior to termination by both correct play- 
ers. Consider how many non-send-blocking or non-nack-blocking rounds either player may endure before 
terminating successfully; let X denote the random variable for this number of rounds. Then, E[X] < 
l-(l-e-2) + 2.e-2(i_e-2)+3.e-4(l-e-2) + ... = E£i ^e^d-Hl-e"') = (l-e-')e' E£i ^(e"')' 
by Lemmas [2. ll or l231 Therefore, E[X] < 1/(1 — e~^) = 0(1) which translates into 0(1) time slots con- 
sumed by non-send or non-nack-blocking rounds. Now consider the send- or nack-blocking rounds; note 
that Carol is limited to at most Ig {2B) + 0(1) such rounds which translates to 0{B^) time slots. There- 
fore, regai^dless of how Carol blocks, the expected number of time slots prior to successful termination is 
0{B^). □ 



2.2 Tolerating a Reactive Adversary 

Consider a reactive adversary Carol who can detect channel activity without cost, and then block the 
channel; this ability is possible in WSNs (see Section lTT]) . In our 3-Player Scenario, Carol can now detect 
that m is being sent in the Send Phase and block it without fail. To address this powerful adversary, we 
consider the case where critical data, m, and more often, non-critical data m' , is sent over the channel 
by other participants in addition to Alice and Bob. Carol can detect the traffic; however, she cannot 
discern whether it is m or m' without listening to a portion of the communication (such as packet header 
information). 

In a slot where channel activity is detected, even if Cai^ol listens for a portion of the message, she 
incurs a substantial cost. Therefore, the cost to Carol is proportional to the number of messages to which 
she listens. Importantly, in the presence of m' , Carol's ability to detect traffic for free is unhelpful since 
m' provides "camouflage" for m. Certainly Carol may block all active slots to prevent transmission of m; 
however, this is no different than blocking all slots in our original 3-Player Scenario. 

As an extreme example, assume that all slots in the Send Phase are used either by Alice to send m 
(as per our protocol) or Dave, whose transmissions of m' do not interest Carol, and the probability that a 
slot is used by Dave is higher. Then detecting channel activity does not help Carol decide on whether to 
block; all slots are used. Regardless of how she decides to act, Carol can do no better than picking slots 
independent of whether she detects channel activity. In other words, channel activity is no longer useful in 
informing Carol's decisions about whether to block. 

But assuming all slots are active is problematic: (1) How is this guaranteed or coordinated? (2) Doesn't 
this much background traffic interfere with Bob's ability to receive from Alice? Instead, assume that other 
network traffic occurs such that Carol will always detect traffic on at least a constant fraction of slots in 
the Send Phase. Note that this does not help her block transmissions by Alice since she does not know the 
total amount of traffic that she will detect. Now, not all slots will necessarily be active. Upon detecting 
traffic, can Carol listen to a portion of the message to discover if it is m or m' and then decide on whether 
to block? Yes, but this is roughly as expensive as simply blocking outright. So again, detecting channel 
activity does not inform Carol's decisions. This is the idea behind our analysis. 

This con^esponds to situations where communication occurs steadily between many participants or via 
several distributed applications, and Carol wishes to target only a critical few. If m and m' are sent over 
the channel in the same slot, the two messages collide and Bob receives neither. Define a slot as active if 
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either m or m' is sent in that slot. For this result only, redefine a send-blocking round as one where Carol 
listens or blocks for at least a 1/3-fraction of the active slots; otherwise, it is a non-send-blocking round. 
We provide a result analagous to Lemma [2?n 

Lemma 2.5. Let Carol be an adaptive and reactive adversary. Then, in a non-send-blocking round of the 
3-Player Scenario Protocol, the probability that Bob does not receive m from Alice is at most e~^. 

Proof. Let x = 2^* be the number of slots in the Send Phase. Consider the set of slots used by all 
participants other than Alice. We assume these participants pick their slots at random to send, so that 
for any slot the probability is 2/3 that the slot is chosen by at least one of them. Since we assume these 
messages m' are sent independently at random, then Chernoff bounds imply that, with high probability 
(i.e., 1 — for constants c', e and sufficiently large x) the number of slots y during which m' is sent 
is greater than (2x/3)(l — e) where x is the total number of slots in a phase. In the same way, assume 
the number of slots in which Alice sends is at least a = (1 — 5)xpA = (1 — 5)2'^'^"^)*+^ with probability 
1 — l/x"^ for a constant 5, c" and sufficiently large x. The number of active slots sent by Alice or other 
participants is clearly at least y. 

By definition of a non-send-blocking round, Carol listens to or blocks less than x/3 (active) slots. As 
Carol has no information about the source of a message sent in an active slot until she listens to it, her 
choice is independent of the source of the message. Given a slot that Alice sends on, there is at least a 
1 — {x/3)/y chance it will not be listened to or blocked by Carol. The probability that this slot will not 
be used by another participant is 1/3 and the probability that Bob will listen to the slot is pb- Hence 
the probability of a successful transmission from Alice to Bob on a slot which AUce sends on is at least 
p= (l-x/(3y))(l/3)pB = (l-l/(2(l-e)))(l/3)pB > (1/3- (l+(5)/6)pij for sufficiently large x (that 
reduces the size of (5) when ?/ > (1— e)(23;/3). Therefore, we can write p > (1/12)^^- The probability that 
all messages that Alice sends fail to be delivered is at most (1—^^/12)" + 2/x'^ where the last term is the 
probability of the bad event that y or a is small and c" > is a constant. RedefinepB = 24/((l— 5)2('^~^)*) 
where the value 24 is there to simply off-set the additive term. Note that this constant factor increase 
in the listening probability does not change our asymptotic results and our analysis in S ection [ZTl proceeds 
almost identically. Therefore, we then have (1 - pb/I^^ + 2/x''" < e"^. □ 

The 3-Player Scenario Protocol can be modified so that the initial value of i is large enough to 
render the error arising from the use of Chernoff bounds sufficiently small; we omit these details. Also, the 
required level of channel traffic detected by Carol is flexible and different values can be accomodated if the 
players' probabilities for sending and listening are modified appropriately in the 3-Player SCENARIO 
Protocol; our results hold asymptotically. Finally, we emphasize that Lemma 12.31 does not require 
modification. Carol cannot decide to block only when AUce is listening since detecting when a node is 
listening is impossible. Alternately, Carol cannot silence a req through (reactive) blocking since this is 
still interpreted as a retransmission request. Using Lemma 1231 Theorem 11.11 follows as before. 

Finally, we note that the conclusion of our argument aligns with claims put forth in empirical results on 
reactive jamming in WSNs; that is, such behaviour does not necessarily result in a more energy-efficient 
attack because the adversary must still be listening to the channel for broadcasts prior to committing itself 
to their disruption |[74l . 

2.3 On Latency and Lower Bounds 

In Section [L6l we mentioned the Bad Santa problem which is described as follows. A child is presented 
with K boxes, one after another. When presented with each box, the child must immediately decide 
whether or not to open it. If the child does not open a box, it can never be revisited. Half the boxes have 
presents in them, but the decision as to which boxes have presents is made by an adversarial Santa who 
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wants the child to open as many empty boxes as possible. The goal is for the child to obtain a present with 
probability 1, while opening the smallest expected number of boxes. In B41I35II . the authors prove a lower 
bound of Q{K^'^) on the expected number of opened boxes. 

Theorem 2.6. Any algorithm that solves the 3-Player Scenario with o{B^-^) cost to Bob must have a 
latency exceeding 2B. 

Proof. A lower bound for the 3-Player Scenario is complicated by the possibility that the strategies of 
AUce and Bob may adapt over time; for example, they may change depending on how Carol blocks. To 
address this, we assume a more powerful Bob. Specifically, assume that communication of m occurs if 
Bob is able to find an unblocked time slot in which to listen or to send. Furthermore, assume Bob can tell 
when he has found such a slot once he listens or sends in that slot. Therefore, such a Bob is at least as 
powerful as the Bob in the 3-Player Scenario. 

Now, if Carol has a budget of size B, we ask: Does Bob have a strategy with o{B^'^) expected active 
slots such that, with probability 1, he finds at least one unblocked slot within 2B slots? Assume that such 
a strategy exists and consider the Bad Santa problem on 2B boxes. Using Bob's strategy, the child is 
guaranteed to obtain a present with probability 1 while opening o{B^-^) boxes in expectation. However, 
this contradicts the Q{B^'^) lower bound result in ll34l and the result follows. □ 

This result illustrates a relationship between the Bad Santa problem and the 3-Player Scenario, and it 
provides some insight into why our protocol has a worst-case latency of oj{B) slots. 

3 Application 1: Jamming Resistance in Wireless Sensor Networks 

The shared wireless medium of sensor networks renders them vulnerable to jamming attacks fTOl . A jam- 
ming attack occurs when an attacker transmits noise at high energy, possibly concuiTcntly with a (legiti- 
mate) transmission, such that communication is disrupted within the area of interference. Consequently, 
this behaviour threatens the availability of sensor networks 11721 . 

3.1 Rationale for the 3-Player Scenario Involving WSN Devices 

Wireless network cards offer states such as sleep, receive ( or listen ) and transmit ( or send). While the sleep 
state requires negligible power, the cost of the send and Usten states are roughly equivalent and dominate 
the operating cost of a device. For example, the send and listen costs for the popular- Telos motes are 
38mW and 35mW, respectively (note S ^ L) and the sleep state cost is 15/iW ll55l : therefore, the cost of 
the send/listen state is more than a factor of 2000 greater and the sleep state cost is negligible. Disruption 
may not require jamming an entire slot so we set J < 5 and assume a small m such that J and S are within 
a constant factor of each other; larger messages can be sent piecewise. In our protocols, we account for 
both send and receive costs. Throughout, when a node is not active, we assume it is in the energy-efficient 
sleep state. 

Slots: There is a single channel and a time division multiple access (TDMA)-like medium access con- 
trol (MAC) protocol; that is, a time-slotted network. For example, the well-known LEACH ll30l protocol 
is TDMA-based. For simplicity, a global broadcast schedule is assumed; however, this is likely avoid- 
able if nodes maintain multiple schedules as with S-MAC fJ5\ . Even then, global scheduling has been 
demonstrated by experimental work in BOl and secure synchronization has been shown |[24l . 

A blocked slot occurs when Carol jams. Cleai^ channel assessment (CCA), which subsumes carrier 
sensing, is a common feature on devices for detecting such events ll57l and practical under the IEEE 
802. 11 standard ||T9l . Collisions are only detectable by the receiver 11721 . When a collision occurs, a con^ect 
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node discai^ds any received data. We assume that the absence of channel activity cannot be forged by the 
adversary; this ahgns with the empirical work by Niculescu [50] who shows that channel interference 
increases linearly with the combined rate of the sources. Finally, we also note that several theoretical 
models feature colUsion detection (see |[ni6l [T5ll27ll58l ). 

On Reactive Adversaries: CCA is performed via the radio chip using the received signal strength indi- 
cator (RSSI) |[65l . If the RSSI value is below a clear channel threshold, then the channel is assumed to 
be clear Q. Such detection consumes on the order of 10^^ W which is three orders of magnitude smaller 
than the send/listen costs; therefore, Carol can detect activity (but not message content) at essentially zero 
cost. Listening to even a small portion of a message costs on the order of milliwatts and our argument 
from Section l2!2] now applies. 

Cryptograpliic Autlientication: We assume that messages can be authenticated. Therefore, Carol cannot 
spoof Alice; however, Bob's req can essentially be spoofed by a Nack-Failure (as discussed in Section|2ll 
which, along with jamming, makes the problem non-trivial. Several results show how light-weight crypto- 
graphic authentication can be implemented in sensor networks Il321l381l42ll70ll71ll ; therefore, it is important 
to consider its impact as we do here. However, the adversary may capture a limited number of players 
(such as Bob); these players are said to suffer a Byzantine fault and are controlled by the adversary II70II72II . 
Given this attack, we emphasize that, while we assume a shared key to achieve authentication, attempts 
to share a secret send/listen schedule between Alice and Bob allows Carol to manipulate players in ways 
that are problematic. This is discussed further in Section [331 

3.2 Local Broadcast and Guaranteed Latency 

Our protocol LOCAL BROADCAST handles the general single-hop broadcast situation where Alice sends 
m to a set of n neighboring receivers within her transmission range. At first glance, this seems achievable 
by having each receiver execute an instance of 3PSP with Alice. However, the expected active time for 
Alice is an f](n)-factor larger than any correct receiver; thus, this is unfair. Furthermore, this protocol has 
poor latency. Here, we give a fast protocol that is both fair and favourable up to small polylogarithmic 
factors. 

Our pseudocode is given in Figure |2] which is valid for n > 2. The probabilities for sending and 
listening aie modified and there are two more phases (the Deterministic Send and Deterministic Nack 
Phases) where players act deterministically. Note that req messages can collide in the Probabilistic Nack 
Phase and will certainly collide in the Deterministic Nack Phase. This is correct as such a collision is 
due to either jamming or multiple receivers (correct or faulty) requesting a retransmission; this is fine and 
Alice will resend. LOCAL BROADCAST takes in as arguments the message m, the sender (Alice) and the 
set of receivers -R Alice- If adversary jams, then none of the correct receivers receive m in that slot. We 
now prove the properties of LOCAL BROADCAST; for simplicity, we discard with the notation S, L, and 
J. 

Lemma 3.1. Consider a non-send-blocking round. The probability that at least one correct receiver does 
not receive the message from Alice is less than Xjv?. 

Proof. Let s be the number of slots in the Probabilistic Send Phase of round i. Let pA = 31nn/2* be the 
probability that Alice transmits in a particular slot. Let p;, = 2/2^'^"^)* be the probability that a particular 
con^ect receiver h listens in a particular slot. Let Xj = 1 if the message is not transmitted from Alice to 
receiver h in the slot. Then Pr \ m is not successfully transmitted to the b during the Probabilistic Send 
Phase]=Pr[XiX2 • • • X, = l]=Pr[Xs = 1 | X1X2 ■ ■ ■ X^-i = 1] • Pr[XiX2 ■ ■ ■ = 1]. Let qj = 1 

if the adversary does not jam given X1X2 • • • Xi^i; otherwise, let qj = 0. The value of qj can be selected 
arbitrarily by the adversary. Then Pr[Xi = 1 \ Xi ■ ■ ■ = 1] = 1 —pAPbQi = 1 — (6 In n/2'^^)qj. Then 
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Local BROADCAST(m, Alice, Alice) for round i > lg(4 In n) 
Probabilistic Send Phase: For each of the 2^''' slots do 

• Alice sends m with probability 

• Each receiver that has not terminated Ustens with probability 2{^^-i)i ■ 
Deterministic Send Phase: For each of the 2^'^"^)'+^ slots do 

• Ahce sends m. 

• Each receiver that has not terminated Ustens. 
Any receiver that receives m terminates the protocol. 
Probabilistic Nack Phase: For each of the 2* slots do 

• Each receiver that has not terminated sends a req message. 

• AUce listens with probability 

Deterministic Nack Phase: For each of the 2^'^"^)*"'"^ slots do 

• Each reciever that has not received m sends a req message. 

• Alice listens. 

If Alice listened in either a Probabilistic Nack Phase or a Deterministic Nack Phase 
and detected no req message or collision then she terminates the algorithm. 

Figure 2: Pseudocode for Local Broadcast. 

we have Pr[XiX2 ■■■X, = l] = (l-pAPbqi) ■ ■ ■ (l-PAPbQs) < 11^=1(1 "^gj) < €-^^^"^^1^ < 
since PAPbYllj > (61nn/2'''*) • {2^^/2) = 31nn given that this is a non-send-blocking round. 
Taking a union bound, the probability that at least one con^ect receiver has not received m is less than 

□ 

A notable difference between Lemma [3?T] and the previous Lemma |2?T] is that here we want to bound the 
probability that any correct node has not received m. This requires a union bound which necessitates the 
O(logn) factor in our new analysis. A slightly tighter analysis may be possible; however, it should not 
change things asymptotically. We also note Lemma [3?T] can be modified to handle a reactive adversary in 
the same way as done for 3-Player Scenario Protocol; we omit the details. 

Lemma 3.2. Assume that by round i all correct receivers have heard the message m. Assume that round 
i is non-nack-blocking. Then the probability that Alice retransmits the message in round i + 1 is less than 
l/n^. 

Proof. This is computed similarly to the proof of Lemma 13.11 Let s be the number of slots in the Prob- 
abilistic Nack Phase and let p = 4/2* be the probability that Alice listens in a slot. For slot j, define 
Xj such that Xj = 1 if Alice does not terminate. Then Pr[ Alice retransmits m in round i + 1] = 
Pr[XiX2 ■ ■ ■ Xg = 1]. Let qj = 1 if the adversary does not jam given X1X2 • • • ^i-i; otherwise, let 
Qj = 0. The Qj values are determined arbitrarily by the adversary who controls the faulty receivers. Since 
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Alice terminates if and only if it listens and does not detect any activity, then Pr[Xj = 1] = (1 — pqj). 
Therefore, Pr[XiX2--- = 1] < e"*'^?=i* < n"^ since p ^^'^^^ > (41n n/2*)(272) = 21nn 
given that this is a non-nack-blocking round. □ 

Lemma 3.3. Assume all receivers are correct and there are no send-blocking or nack-blocking rounds. 
Then the expected cost to Alice is 0{h).^ n) and the expected cost to any correct receiver is 0(ln n). 

Proof. Let d = lg(4 In n) and n > 3. Using Lemma ISTTl the expected cost to Alice is at most: 

oo 

s^^^2(i~d) . (2(^-1)^ . 31nn + 2^'^"^^'+'^ + 4 + 2'^^"'^^'+^) 

i=d 



O(ln'^n) + Inn 




= 0(ln'^ n) by the geometric series. 
Similarly, using Lemma [l!2l the expected cost to each receiver is at most: 

oo 

^^-2(i-d) _ (^2*+^ + 2^'^"-'-^*"'"-^ + 2* + 2^'^"^^^'^^) 

i=d 

= 0(lnn) + 

= 0(ln?i) by the geometric series. 




□ 



Lemma 3.4. Assume there is at least one send-blocking round. The expected cost to Alice is 0{B'^ ^ In n+ 
In*^ n) and the expected cost to any correct receiver is 0{B^^^ + Inn). 

Proof. Let i > [lg(41nn)] be the last round which is send-blocking and let j be the last round which is 
nack-blocking, j > i; if no such nack-blocking round exists, then j = 0. Then the cost to the adversary is 
B = n{2'^' + 2i). 

Alice: Using Lemma 1X2] the expected cost to Alice prior to successfully terminating is 0(2^'^"^)* Inn) + 
E^i n-2(^-i) . 0(2('^-i)(J+'') In n) = 0{2^'^~'^^' In n + 2('^-^W In n). Therefore, in terms of B, the cost 
to AUce is 0{B^~^ In n) and by Lemma 1331 Alice's total expected cost is OiB"^-^ In n + In^ n). 
Correct Receivers: In the worst case, all rounds up to i have been send-blocking, in which case the 
expected cost to each con^ect receiver up to the end of round i + 1 is 0(2' ). Therefore, in terms of B, and 
using Lemma |33l the cost to each con^ect receiver is 0{B^~^ + In n) noting that 1/ Lp = ip — 1. □ 



Lemma 3.5. Alice and all correct receivers terminate LOCAL BROADCAST in 2b-{B + 2'f ^ In*^ ^ n)'''+^ 
time slots. 



Proof. The deterministic phases play a key role in establishing the bound on latency. If the adversary 
is not active for all slots in the deterministic Send Phase, then all correct receivers obtain m. Once all 
con^ect receivers terminate, the adversary must be active in all slots of the deterministic Nack Phase in 
order to prevent Alice from terminating. Therefore, prior to successful termination of all correct players 
(including Alice), the adversary is active for at least 2^'^"^)*+^ slots per round i in Epochs 2 and 4. For 
d = lg(41nn), we seek the number of rounds p such that Yl,'i=d'^^'^~^^^^^ — ^ which yields that p > 
iplg{B + 2'''"^ In'''"^ n) rounds suffices to exhaust the adversary (we are not being exact). Each round i 
has at most 4 • 2'^ *+^ slots so p rounds equal at most 25 ■ {B + 2"^"^ In"^"^ n)'^+^ slots. □ 



17 



The value n is the number of devices within the broadcast range of Alice. Throughout, we have assumed 
that n is known a priori. There has been work done on node discovery in the presence of jamming 
(see Meier et al. B6l ) and we assume that similar techniques can be used to obtain the value n. For a 
determined adversary, we expect B > n; that is, for an adversary intent on preventing communication, the 
number of time slots jammed will likely exceed the number of neighbors. Therefore, B S> In'^"''^ n. In this 
case (actually for B > In'^"^ 77,), the latency is 0(-B'^+^) and, noting that Carol can prevent transmission 
for at least B slots, this is within an 0(i?'^) -factor of the optimal latency. By this and Lemmas |3.3[ 13.41 
and l3.5[ Theorem 1 1.21 now follows. 

3.3 Why a Shared Schedule is Problematic 

In our WSN application, we assume that messages from Alice can be authenticated using light-weight 
cryptographic techniques. Given this, we consider: might Alice and Bob (or even more players) also share 
a secret schedule? This would reduce the costs in Theorem 1 1.1 1 due to the Send Phase where neither player 
knows if the other is active with any certainty. 

Unfortunately, such a schedule becomes known to the adversary if a player suffers a Byzantine fault 
and this causes problems in more general scenarios. For instance, consider the simple extension of Alice 
and two receivers. In our local broadcast problem, which is a key subroutine for our reliable broadcast 
protocol, Alice broadcasts to its two neighboring receivers concurrently in order to be fair. Therefore, both 
receivers must know when Alice transmits in the Send Phase. By corrupting one receiver, this schedule 
becomes known to the adversary who can then block transmissions by Alice perfectly and easily prevent 
the other receiver from receiving m. Clearly, this attack extends to the case where there are n receivers 
and Alice wants to achieve a local broadcast. 

Other problems arise in a multi-hop scenario. For example, in our reliable broadcast protocol, each 
node listens to many different senders. A faulty receiver can interfere with many more senders by acting 
in the same manner as above for each of these senders. Therefore, by purposely avoiding a pre-set shared 
schedule, our use of randomness allows us to foil such attempts by the adversary. 

3.4 Jamming-Resistant Reliable Broadcast: Obtaining Favourability 

Reliable broadcast has been extensively studied in the multi-hop grid model |[T2] - [T4l[35ll37l . particularly 
with a jamming adversary lITl fTTllTSl . Reliable broadcast is possible when t Byzantine nodes can each jam 
at most He transmissions |[T5l . Unfortunately, the protocol of lITSl . and the improvement by ifTTI . requires 
that correct nodes possess more energy than the Byzantine nodes. In particular, while the sending costs 
are improved in ifTTl . both |[TTl[T5l allow the adversary to force a correct node to listen for t • ?ic + 1 
slots where ric is the number of times each node can cause a message collision (listening costs in HI are 
similar). Therefore, while the total sum cost to the adversary is t ■ 7ic, each correct node may suffer a 
cost of t ■ Uc + 1. This cost ratio affords the adversary a DDoS attack since these previous protocols are 
consistently unfavourable. 

3.5 A Review of Reliable Broadcast in the Grid Model 

For the purposes of being self contained, we begin with a review of the popular grid model of WSNs lITOl 
[T2] - [l4l[34ll351l37[l67l . Here, each point in a two-dimensional grid holds a node and we let p{x, y) denote 
the node p at location {x,y). Whenever a node sends a message, all listening nodes within L^o distance r 
can hear this message assuming there is no interferenceQ The notation N{p) or N{x, y) denotes the set 

'in the Loo metric, the distance between two points (a;i, j/i) and (2:2, 1/2) is max{|a;i — a;2|, |yi — 2/2!}- 
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Reliable Broadcast Protocol (Bhandari and Vaidya, 2005) 

• Initially, the source s does a local broadcast of message m. 

• Each node i G N{s) commits to the first value it receives from s and does 
a one-time broadcast of COMMIT (i, m). 

• The following protocol is executed by each node j (including those nodes 
in the previous two steps): 

- On receipt of a COMMlT(i, m) message from a neighbor i, node j 
records the message and broadcasts HEARD (j, i, m). 

- On receipt of a heard i, m), node j records this message. 

- Upon receiving COMMIT or HEARD messages that 1) claim v as the 
correct value and 2) are received along at least t + 1 node disjoint 
paths that all lie within a single neighbourhood, then node j commits 
to V and does a one-time broadcast of COMMlT(j, m). 



Figure 3: The reliable broadcast protocol proposed by Bhandari and Vaidya for tolerating Byzantine faults 
in the grid model. 

of nodes within radius r of a node p{x, y); this is refeiTcd to as p's broadcast neighbourhood. Within any 
broadcast neighbourhood, at most t nodes may suffer a fault; this is the "t-locally bounded fault model". 

There is a dealer (also referred to as the source in the literature) located at (0, 0) and all nodes are 
aware of this. There is also a global broadcast schedule that assigns each node p a time slot in which p 
may broadcast. In |[37l . an example broadcast schedule is provided: each node in position (x, y) broadcasts 
in time slot {{x mod (2r + 1)) x (2r -|- 1) -|- (y mod (2r -|- 1))) mod 2r -|- 1)^. Finally, for simplicity, we 
assume that messages fit within a single slot 

The results by Koo lITTi and by Bhandari and Vaidya ||T3]| prove that when faults are Byzantine, reliable 
broadcast is possible in the grid if and only if t < (r/2)(2r -|- 1). Figure [3]provides the pseudocode for the 
rehable broadcast protocol of Bhandari and Vaidya |[T3l that achieves this optimal fault tolerance. 

Proving that this protocol is correct is non-trivial. Here, for the purposes of being self contained, we 
provide a summary of the proof and refer the interested reader to |[T3l for a complete analysis. A review 
is also helpful in providing the groundwork for our following arguments which follow the same general 
structure. Throughout the protocol, the message COMMlT(i, m) means that node i has committed to a 
message m, and the message HEARD(j, i, m) means that node j has heard a message COMMIt(z, m). We 
also require the notion of a perturbed neighbourhood PN{p) of p{a, h) as PN{p) = N{a + l,b)U N{a — 
1, b)UN{a, b+l)L)N{a, 6—1). The proof in llT3l proceeds by showing that for each node p in PN{a, b) — 
N{a, b), there exist 2t-\- 1 paths Pi, P2t+i lying within a single neighbourhood N{a, 6 + r + 1), each 
having one of the forms listed below: 

m Pi = (q, p) which is a one hop path por 

• Pi = (q, q' ,p) which is a two hop path q ^ q' ^ p 

where q, q' , p are distinct nodes and q, q' belong to a single neighbourhood N{a, 6+r + 1), and q G N{a, b) 
where, crucially, the correct nodes in N{a, b) have committed to the correct message. The existence of 
these 2t + l paths, and the fact that each broadcast neighbourhood has at most t < (r/2)(2r + 1) Byzantine 
faults, is sufficient to prove that reliable broadcast is achieved by the protocol. For simplicity, we can 
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Figure 4: Depiction of the sets Ap, Bp, Bp and sister nodes for a particular node p in the grid. Here 
a,b, z = and r = 3 so the conidor C has width 2r + 1 = 7. 



consider p G N{a,b+ 1) since the analysis is neai^ly identical for the cases where p e N{a + 1,6), 
p e N{a - 1, b), and p G iV(a, b - 1). 

The node p lies in A^(a, 6 + 1) — N{a, b) and can be considered to have location {a — r -\- z,b + r -\- \) 
where < z < 2r. Now, summarizing the proof in |[T3l . we prove the existence of r (2r + 1) node-disjoint 
paths -Pi, Pr{2r+i) ^11 belonging to the same neighbourhood: 

• One-Hop Paths: the set of nodes = {q{x,y) \ {a — r) < x < (a + z) and (6+1) <y < (6+r)} 
belong to N{a, 6) and are neighbors of p. Therefore, there exist r(r + z + 1) paths of the form q ^ p 
where q ^ Ap. 

• Two-Hop Paths: consider the sets Bp = {q{x, y) \ {a -\- z + 1) < x < {a + r) and (6 + 1) < y < 
(6 + r)} and B'p = {q'{x', y') \ {a + z + I - r) < x' < a wA {b + r + I) < y' < {b + 2r)]. The 
nodes in Bp are in (a, 6) while the nodes in Bp are in N{p). Moreover, the set Bp can be obtained 
by shifting left by r units and up by r units. Therefore, there exists a one-to-one mapping between 
the nodes in Bp and the nodes in B'p. For u G Bp, we call the corresponding node u' G B'p, the 
sister node of u. Note that each node has at most two sister nodes, and this can be seen in Figure ID 
Therefore, there are r(r — z) paths of the form q ^ q' ^ p. 

In total, there ai^e r(r + z + 1) + r{r — z) = r(2r + 1) disjoint paths all belonging to the neighbourhood 
N{a, 6 + r + 1). Figure |4] depicts aspects of the discussion above where a, 6 = 0. Now, note that the 
predecessor set Gp = ApVJ B'p is the set of nodes to which p must listen in order to gather the information 
that allows p to commit to the correct message. 

In this section, we extend our results for single-hop communication problems to achieve jamming- 
resistant protocols for reliable broadcast. Our protocols rely heavily on the results of Bhandari and 
Vaidya |[T3l discussed above. In particular, we assume that each node p knows a predecessor set Gp 
of nodes to which node p should listen for messages. As we have just seen, the existence of Gp is shown 
by the constructive proofs in |[T3l . Our protocols detail when each node p should listen to nodes in Gp and 
when each node p should broadcast its commitment message. 



3.5.1 Our Reliable Broadcast Protocol in the Grid 

As discussed, there ai^e t < {r/2) (2r+ 1) Byzantine nodes in any neighborhood. We reiterate our statement 
from Section [T3] that this bound does not contradict our definition of resource competitiveness. Rather, 
as we have seen in the review above, this bound is necessary or otherwise reliable broadcast in the grid 
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is infeasible; this is a constraint imposed by the application considered here. Simlarly, unlike our single- 
hop case, the amount of jamming in a neighborhood is upper bounded by Bq and known. This is required 
in II11II15II and a similar assumption is made in Il6ll58l . Bq represents the number of times a Byzantine node 
can deviate from the global schedule within some time frame in a neighborhood before being identified and 
subjected to defensive techniques (see fJ2l ). Not exceeding Bq in each time frame allows the adversary 
to attack throughout the lifetime of the network and we pessimistically assume that Bq is lai^ge so that the 
adversary may inflict sustained attacks. 

As with previous works, we assume that there is a global broadcast schedule that assigns each node a 
slot for broadcasting and that this schedule is obeyed by all con^ect nodes; the ordering is always the same 
but the actual specification is unimportant (see ll37l for an example). A cycle is defined as on full pass 
through a global broadcast schedule — we call these transmit slots — ^plus an additional n slots that we call 
response slots; we expand on this later. 

Overview of the Protocol: The pseudocode is in Figure [5] Our protocol synchronizes the timing of 
nodes for sending and listening. While this synchronization is not mathematically challenging, a full 
description yields an unreadable protocol. For ease of exposition, our treatment addresses each node q in 
C = {q{x,y)\ — r < X < r A y > 0}; that is, a corridor of width 2r + 1 moving up from d. Traversing 
the x-coordinates is nearly identical and the grid can be covered piecewise by these two types of corridors. 

For each node p, define Ap = {g(u, v) \ {a — r) < u < {a + z) and {b + 1) < v < {b + r)}. 
Bp = {q{u, v) I (a+z+l) <u< (a+r) and (6+1) <v < (6+r)} and Bp = {q'{u', v') \ (a+z+l-r) < 
u' < (a) and {b + r + 1) < v' < {b + 2r)} for < z < r. The set Bp is obtained from Bp by shifting 
left by r units and up by r units; under this 1-to-l translation, qi G Bp and q2 G Bp are sister nodes. The 
reader is referred to ITBI or |[35l for a more in-depth discussion of these sets. 

While a full presentation is somewhat tedious, the main idea is that where a node would have broad- 
casted a message to a group of nodes in the protocol of Bhandari and Vaidya |[T3l . we now use LOCAL 
Broadcast to communicate a message to that group of nodes. In terms of the messages themselves, 
node q issues a COMMlT(gr, m) message if q has committed to m. Node q2 sends HEARD(g2, Qi, "i) if q2 
has received a message COMMlT(gi, m). As in |[T3l . p commits to m when it receives t + l COMMlT(q, m) 
or UEARD{q2,qi,m) from node-disjoint paths all lying within a single (2r + 1) x (2r + 1) area. 

We now discuss how to move from slots in LOCAL BROADCAST to slots in a cycle. In general, the 
transmit slots in a cycle are used by a node p to transmit a HEARD or COMMIT message via LOCAL 
Broadcast to a receiving set of nodes Rp, while the response slots in a cycle are used by nodes in Rp 
to send back req messages to p. Therefore, there are up to n transmit slots needed. For simplicity, we do 
not go into detail about how these are set up; we simply assume that nodes in Rp know which response 
slot to use. 

In our p in our pseudocode, Rp = N{p) n C and p executes LOCAL BROADCAST(m,p, i?p) in 
the context of the global broadcast schedule. By this, we mean that a slot in the Probabilistic Sending 
Phase of LOCAL BROADCAST corresponds to p's transmit slot in some cycle, the next slot in that same 
Probabilistic Sending Phase corresponds to p's transmit slot in the next cycle, and so on. The same thing 
happens with the Deterministic Sending Phase. In both cases, the response slots are unused. Then in the 
Probabilistic Nack Phase and Deterministic Nack Phase, the responses are used by each Rp set in the same 
fasion, where p now Ustens. By using a response slot, the nodes in Rp send back to p simultaneously 
as in Local Broadcast. Note that in the Probabilistic and Deterministic Nack phases, the transmit 
slots ai^e now unused. Therefore, in each cycle, only the transmit slots or response slots, but not both, 
are used. For Local Broadcast running in at most D slots, executing Local Broadcast in the 
context of the global broadcast schedule requires at most D cycles. In our pseudocode in Figure [51 we 
have D = 25-{Bq + 2'^"^ In'^'^ n)^+i in concordance with LemmaO 

We include the detailed proof of completeness for Theorem 11.31 by showing that each correct node 
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DoS-Resistant Reliable Broadcast 

• Starting in cycle 1, and ending no later than cycle D = 2b ■ {Bq + 2'^"^ ln'^~^ ri)'^+^, 
node d executes LOCAL BROADCAST(m, d, Rd) and each node i ^ Rd commits to the 
first value it receives from d. 

As in lUBl . p{x,y) commits to m when, thi^ough Steps 4 and 5, it receives t + I 
COMMlT(g, m) or HEARD (g2, qi^rn) from node-disjoint paths all lying within a single 
(2r + 1) X (2r + 1) area; our analysis shows this occurs in cycle 2yD — 1. The following 
step is executed by each node p: 

• Starting in cycle 2yD, and ending no later than cycle {2y + 1)D — 1, node p{x, y) 
performs LOCAL Broadcast(commit(p, m),p, Rp). 

The following steps are executed by each node excluding those nodes in N{d). Any 
such coiTcct node commits to m when it receives HEARD or COMMIT m from t + 1 
node-disjoint paths within a single neighborhood. 

For i = to r — 1 

- Starting in cycle 2{y — r + i)D, and ending no later than cycle 2{y — r + i)D + 
D — I, node p{x, y) listens for COMMIT messages by executing LOCAL Broad- 
CAST(C0MMlT(g, 'm),q{x', y'),Rq) with each node in row y' = y — r + i m C 
and where p £ Rg. 

- Starting in cycle 2(y — r + i)D + D, and ending no later than cycle 2{y — r + 
i)D + 2D — 1, node p{x, y) listens for HEARD messages by executing LOCAL 
BR0ADCAST(HEARD(g2, gi, 92, ^92) with each node q2 G B'^ in row y + i 
and where p G Rq^ . 

• Starting in cycle 2{y—r)D+D, and ending no later than cycle 2{y—r)D+2D—\, nodeg2 
sends & UEKmi message by executing LOCAL BR0ADCAST(HEARD(g2, Qi, "i), 92, ^52) 
where qi, 92 are sister nodes. 



Figure 5: Pseudocode for DoS-Resistant Reliable Broadcast. 



eventually commits to the correct value m sent by the dealer (the cost analysis is provided later). The 
following Lemma [3^ proves the coiTcctness of our protocol in the grid; we emphasize that our ai^gument 
follows that of m. 

Lemma 3.6. Assume for each node p, t < (r/2)(2r + 1) nodes in N{p) are Byzantine and used by Carol 
to disrupt p's communications for (3 <Bq time slots. Let C = {Nodes q at (x, y)| — r < x < r A y > 0} 
be a corridor of nodes in this network. Then, DoS-ResISTANT RELIABLE BROADCAST achieves reliable 
broadcast in C. 

Proof. In flSll, it is shown that each node p{x, y) can obtain m by majority filtering on messages from 
2t + 1 node-disjoint paths contained within a single (2r + 1) x (2r + 1) area since at least t + 1 will be 
m. Our correctness proof is similar; however, we argue along a corridor and show that nodes in the y^^ 
row can commit to m by slot 2yD — 1. 
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Base Case: Each node in N{d) commits to the correct message ni immediately upon hearing it directly 
from the dealer by cycle D. Therefore, clearly, every node p{x, y) G N{d) commits by cycle 2yD — 1. 

Induction Hypothesis: Let — r < a < r. If each correct node p'{x' , y') G N{a, b) commits to m by cycle 
2y'D — 1, then each correct node p{x, y) G iV(a, b + 1) — N{a, b) commits to m in cycle 2yD — 1. 

Induction Step: We now show 2t + 1 connectedness within a single neighborhood and we argue simulta- 
neously about the time required for p to hear messages along these disjoint paths. The node p{x, y) lies in 
N{a, 6 + 1) — N{a, b) and can be considered to have location {a — r + z,b + r + 1) where < z < r (the 
case for r + 1 < z < 2r follows by symmetry). We demonstrate that there exist r(2r + 1) node-disjoint 
paths -Pi, Pr{2r+i) ^11 lying within the same neighborhood and that the synchronization prescribed by 
our protocol is correct: 

One-Hop Paths: the set of nodes Ap = {q{u, v) \ {a — r) < u < {a + z) and {b + \) <v < (b + r)} lie 
in N{a, b) and neighbor p. Therefore, there are r(r + z + \) paths of the form q ^ p where q G Ap. 

By their position relative to p{x,y), each correct node q{u,v) G Ap is such that v = y — r + c 
for some fixed c G {0, ...,r — 1}. Therefore, by the induction hypothesis, q commits to m by cycle 
2{y — r + c)D — 1. By the protocol, q{u, v) sends COMMIT messages using LOCAL BROADCAST in cycle 
2vD = 2{y-r + c)D until cycle 2{v + l)D - 1 = {2{y - r + c) + l)D - 1 at the latest. By the protocol, 
p{x, y) listens for COMMIT messages from q starting in cycle 2{y — r + c)D until v (2(y — r + c) + 1)D — 1 
at the latest; note that p listens to many executions of LOCAL BROADCAST containing HEARD messages, 
but we focus on this particular one from q. Therefore, p and q are synchronized in the execution of LOCAL 
Broadcast and p will receive q's message by cycle {2{y — r + c) + l)D — 1 = (2(6 + c+l) + l)D — 1 
at the latest. Since this occurs for all nodes in Ap, node p has received all COMMIT messages from Ap by 
cycle (2(y - 1) + - 1 = (2(6 + r) + 1)1) - 1 < 2(6 + r + 1)1) - 1 = 2yD - 1. 

Two-Hop Paths: consider the sets Bp = {q{u,v) \ (a + z + 1) <u< (a + r) and (b+l) <v < (6 + r)} 
and -Bp = {q'{u',v') \ (a + z + l-r) < u' < (a) and (6 + r + l) < t;' < (6 + 2r)}. The set B^ is obtained 
by shifting left by r units and up by r units. Recall that there is a one-to-one mapping between the nodes 
in Bp and the nodes in Bp, these are sister nodes. There are r(r — z) paths of the form q ^ q' ^ p where 
q and q' are sister nodes. These sets, and the notion of sister nodes, are illustrated in Figure ID 

Consider a correct node q{u,v) G Bp and its sister node q'{u',v') G Bp where v' = v + r hy 
definition. Again, given the location of q{u,v) relative to p{x,y), we have v = y — r + c for some 
fixed c G {0, ...,r — 1}. By the induction hypothesis, q commits to m by cycle 2vD — 1. Then by 
DoS-Resistant Reliable Broadcast, q sends a commit message using Local Broadcast in 
cycle 2vD = 2{y - r + c)D until cycle 2{v + l)D - 1 = {2{y - r + c) + 1)D - 1 at the latest. 
Again, this is the particular execution of LOCAL BROADCAST between q and q'; q performs others. By 
DoS-Resistant Reliable Broadcast, q'{u',v') receives commit messages from q using Local 
Broadcast starting in cycle 2{v' — r + c)D = 2vD = 2{y — r + c)D and ending no later than cycle 
2{v' -r + c+l)D -l = 2{v + l)D -1 = {2{y -r + c) + l)D -I. 

By the above, each node q'{u',v') G Bp is able to start sending a HEARD message using LOCAL 
Broadcast in cycle 2{v' — r)D + D and ending no later than cycle 2{v' - r)D + 2D - I. Starting in 
cycle 2{y — r + c)D + D, node p{x, y) uses LOCAL BROADCAST to listen for a HEARD message from 
q'{u' , v') where v' = y + c. Therefore, p is listening to q' starting in 2{y — r + c)D + D = 2{v' — r)D + D 
and ending no later than 2{v' — r)D + 2D — l;p and q' are synchronized. Therefore, p receives all HEARD 
messages by cycle 2{v' — r)D + 2D — 1 when v' = y + r — 1 (the node at the top row of B'^); that is, by 
cycle 2{y - l)D + 2D -1 = 2yD - 1. 

Therefore, a total oir{r+z+l)+r{r — z) = r(2r + l) node-disjoint paths from iV(a, 6) to PN{a, 6) exist, 
all lying in in a single neighborhood N{a, 6+r + l). For an adversary coiTupting t < (r/2)(2r + 1) nodes, 
a con^ect node can majority filter to obtain m. Furthermore, we have shown that any p(x, y) G N{a, 6+1) 
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Listen to COMMIT in row 1: [2D, 3D-1] 
Send HEARD: [3D, 4D-1] 

Listen to COMMIT in row 2: [4D, 5D-1] 
Send HEARD: [5D, 6D-1] 
Listen to COMMIT in row 3: [6D, 7D-1] 
Send HEARD: [7D, 8D-1] 



Listen to COMMIT in row 4: [8D, 9D-1] 
Listen to COMMIT in row 4: [8D, 9D-1] 
Listen to COMMIT in row 4: [8D, 9D-1] 



b;,. 



Node p 

Listen to HEARD in row 4: [3D, 4D-1] 
Listen to HEARD in row 5: [5D, 6D-1] 
Listen to HEARD in row 6: [7D, 8D-1] 
Listen to COMMIT in row 1: [2D, 3D-1] 
Listen to COMMIT in row 2: [4D, 5D-1] 
Listen to COMMIT in row 3: [6D, 7D-1] 

Send COMMIT: [8D, 9D-1] 



^Dogoooo 

^DQQQDOO 
)P00' 
300, 




Send COMMIT: [6D, 7D-1] 
Send COMMIT: [4D, 5D-1] 
Send COMMIT: [2D, 3D-1] 



Figure 6: An example of some steps of the protocol for r = 3. The node in row 4 highUghted with the 
horizontal Unes in the Bp hstens to a COMMIT message from its sister node in Bp by partaking in LOCAL 
Broadcast as a receiver from cycle 2D to cycle 3D — 1. Then, in cycle 3D to cycle AD — 1, that node 
uses Local Broadcast to send a heard message to p who is listening in this execution of Local 
Broadcast from cycle 3D to cycle AD — 1. The listening for p for each row is described on the left; 
note the synchronization. We also illustrate that those nodes above p will be listening for p's COMMIT 
message using LOCAL BROADCAST at the appropriate time. 



executes Local Broadcast r(2r + 1) = O(r^) = 0{t) times in order to receives all commit and 
HEARD messages by cycle 2yD — 1. Therefore, p can commit to the correct message by cycle 2yD — 1; 
this concludes the induction. □ 

Finally, we reiterate that proving reliable broadcast in a corridor is sufficient as the entire grid (with the 
exception of the boundary of width less than r in the case of a finite grid) can be covered piecewise by 
such corridors. 



3.6 Reliable Broadcast in General Topologies 

We examine the grid model previously because it features in previous literature on jamming-resistant 
reliable broadcast UlEllIEl. In this section, we present our results for reliable broadcast on an arbitrary 
graph G = {V, E). Pelc and Peleg ||52l examine a generalization of the i-locally bounded fault model; 
that is, where each node contains at most t Byzantine nodes within its neighborhood. Specifically, they 
examine the broadcast protocol of Koo |[37l . which the authors call the Certified Propagation Algorithm 
(CPA), with the aim of establishing conditions for which it achieves reliable broadcast under arbitrary 
graphs in contrast to the grid model. CPA does not always achieve optimal fault tolerance; for example, it 
cannot tolerate the optimal number of faults t = (r/2)(2r + 1) — 1 in the grid as we do above. However, 
we address CPA because its generality is powerful. 
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Again, CPA requires that all nodes obey a global broadcast schedule (i.e. there is no jamming adver- 
sary). Pelc and Peleg [|52|1 define X{p, d) to be the number of nodes in p's neighborhood N{p) that are 
closer to d than p and then introduce the parameter X{G) = mm{X{p, d) \ p,d ^ V, (p, s) ^ E}. To 
reiterate, one of their main results is that, for any graph G with dealer d such that t < X{G)/2, CPA 
achieves reliable broadcast. For our purposes, define for each node p the set of nodes X{p) to be those 
X{p, d) nodes closer to the dealer than p. Clearly, it is possible to identify X{p) in polynomial time and 
so we observe: 

Observation 3.7. If the topology of G and the location of d is known to all nodes, then each node p can 
calculate X{p). 

3.6.1 A Favourable Protocol in General Topologies 

The pseudocode for CPA is given in Figure |2l Note that, unless a node is sending in the slot allotted to it 
by the global broadcast schedule, or it has terminated, it is perpetually listening. We aim to remove this 
wasteful listening by synchronizing the sending and listening of nodes. 

In the context of CPA, we call a single iteration of the global broadcast schedule a broadcast round (we 
use cycles again later on when we modify CPA). Thi^oughout, assume that time is measured from when the 
dealer first broadcasts m in broadcast round 0. Under CPA, regardless of the worst-case delay imposed by 
the adversary, there is a broadcast round where p must have received at least t + 1 messages from distinct 
correct nodes in X{p) allowing p to commit to m; denote this broadcast round by Sp. Note, that in any 
execution of reliable broadcast, p may actually be able to commit before broadcast round Sp, but Sp is the 
maximum broadcast round in which p is guaranteed to have all the information it needs to commit to m 
regardless of how the adversarial nodes behave. 

Since a correct node u £ N{d) accepts what it hears from the dealer d immediately, and d's broadcast 
round is 0, = 1. For nodes not in N{d), the situation is slightly more complicated. In the grid, for node 
p{x, y), we were able to compute Sp explicitly (in terms of cycles) as 2yD — 1 in the corridor G (see proof 
of Lemma [3^ . Here, unlike with the grid, we cannot specify Sp explicitly for any graph G because it is 
dependent on the topology; however, by the correctness of CPA, every node eventually commits and so Sp 
must exist for each node p. In fact, our protocol based on CPA is simpler than that in the grid because the 
protocol of Bhandari and Vaidya |[T3l uses HEARD messages (which makes the synchi-onization tedious), 
while CPA uses only COMMIT messages. 

For a fixed G whose topology is known to all nodes (including knowledge of where the dealer d is 
situated), each node p can calculate Sp. This is done by simulating the propagation of m using CPA. In this 
simulation, each node p has the maximum t = X{G)/2 — 1 Byzantine nodes in X{p) and these Byzantine 
nodes send their faulty messages prior to the t + 1 correct responses in order delay propagation of m for as 
long as possible. By assuming that every X{p) has the maximum number of Byzantine nodes, the actual 
placement of the Byzantine nodes in G does not affect the worst-case broadcast time Sp. In tracing this 
propagation, any node can calculate Sp for any node p. 

Now, consider the following minor modifications to CPA: (1) each coiTcct node p only listens to 
q € X{p) in broadcast round Sg + 1, and (2) each correct node p only sends its commit message in 
broadcast round Sp + 1. In all other slots, a node p is sleeping. This is a minor modification of CPA; call it 
CPAq. These modifications synchronize the sending/listening and allow nodes to otherwise sleep instead 
of perpetually listening as in CPA. The pseudocode for CPAq is given in Figure [8] While it is fairly cleai" 
that this modification does not affect correctness, we state it formally for completeness. 

Lemma 3.8. If CPA achieves reliable broadcast, then CPAq achieves reliable broadcast. 

Proof. For every node p, assume X{p) has the maximum t = X{G)/2 — 1 Byzantine nodes and that these 
Byzantine nodes all send their messages to p ahead of the correct nodes in X{p) according to the broadcast 



25 



Certified Propagation Algorithm ( (371 and |j52l) 

• The dealer d sends the message to all of its neighbors and terminates. 

• For a correct node u G N{d), upon receiving m from d it commits to m, 
node u announces this committment of its neighbors and terminates. 

• If a node is not a neighbor of the source, then upon receiving t + I copies 
of m from t + 1 distinct neighbors, it commits to m, and announces this 
committment to its neighbors and terminates. 



Figure 7: Pseudocode for the Certified Propagation Algorithm (CPA) 
CPA^ 

• In broadcast round 0, the dealer d sends the message to all of its neighbors 
and terminates. 

• For a con^ect node u G N{d), u listens in broadcast round and accepts 
m as correct, announces this committment to its neighbors in broadcast 
round 1, and terminates. 

• If a node p is not a neighbor of the source, then p listens to each neighbor 
q € X{p) in broadcast round + 1; otherwise, p sleeps. Upon receiving 
t + 1 copies of m from t + 1 distinct neighbors in X{p), it accepts m as 
correct, announces this committment to its neighbors in broadcast round 
Sp + 1, and terminates. 



Figure 8: Pseudocode for CPAq. 

schedule. Pelc and Peleg |[52l showed that CPA is correct in this situation (their result is independent of 
any particular ordering of sending in the broadcast schedule; that is, CPA remains correct if Byzantine 
nodes always send first). Therefore, in this case, each correct node p would receive a committment from 
q G X{p) in broadcast round Sq + I and node p would announce its committment in round Sp + 1. 
This is exactly what happens in CPAq with nodes sleeping otherwise. Therefore, if CPA achieves reliable 
broadcast, then so does CPAq. □ 

Define a cycle as done before in the grid. In Figure |9l we provide pseudocode for a fair and favourable 
reliable broadcast algorithm FCPA that tolerates the jamming adversary described in Theorem 1 1.31 

Lemma 3.9. Assume CPA achieves reliable broadcast on a graph G. Then FCPA 
guarantees reliable broadcast on G. 

Proof. Using FCPA, we claim that every correct node p can commit by cycle Sp • D. To prove this, assume 
the opposite: that some node p does not commit to the correct value by cycle Sp ■ D. Then, there is some 
con^ect node q G X{p) that: (1) could not commit to a message by time slot Sq • D (and could not send p 
a committment message), or (2) committed to a wrong message (and sent that wrong message to p). Note 
that the time for any node p' to send its commit message to a node p" is at most D cycles by Lemma [331 
Therefore, if q cannot commit (or commits to the wrong value) by Sq ■ D in FCPA, then q cannot commit 
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FCPA 

• The dealer d sends the message to all of its neighbors using LOCAL 
BROADCAST(m, d, N{d)) and terminates after at most D = 25 ■ {Bq + 
2^-iln'P-i„)¥'+i cycles. 

• If node u G N{d), then upon receiving ?n from d via LOCAL Broad- 
CAST(m, d, N{d)), it accepts m as con^ect, announces this committment 
to its neighbors in cycle D, and terminates. 

• If a node p is not a neighbor of the source, then p listens to each neighbor 
q G X(j)) via Local BROADCAST(m, q, N{q)) starting in cycle Sg-D + l 
and ending by {sg + 1) ■ D; otherwise, p sleeps. Upon receiving t + 1 
copies of m in this fashion from t + 1 distinct neighbors in X{p), it accepts 
m as correct, announces this committment to its neighbors using LOCAL 
BROADCAST(m, p, N{p)) in broadcast cycle Sp ■ D + I, and terminates 
by cycle {sp + 1) ■ D. 



Figure 9: Pseudocode for FCPA. 



by cycle Sq in CPAq; therefore, CPAq fails to achieve reliable broadcast. However, if CPAq fails to achieve 
reliable broadcast, then by the contrapositive of Lemma 13. 8[ this contradicts the assumption that CPA 
achieves reliable broadcast. □ 



3.6.2 Favourability Analysis 

Finally, the following analysis proves favourability, both for the grid and for general topologies: 

Theorem 11.31 — Cost Analysis: In both of our protocols, each correct node p partakes in an execution of 
Local Broadcast 0{t) times as a sender and receiver; let k denote the total number of such executions. 
For the i^^ such execution, let Tj be the number of slots for which the adversary is active for i = 1, ...,k. 
Denote the adversary's total active time by /3 = J2i=i '^i — -^o- Consider two cases: 
Case I: Assume the adversary is active for a total of /3 = Yli=i Ti = 0{t In*^^^ t) slots over all k executions 
of Local Broadcast involving p. For each execution, p incurs 0{Tf~^ In t + In"^ t) cost in expectation 
by Theorem 11.21 Therefore, over k = 0{t) executions, p's expected total cost is 0((^^ r^^"^) Int + 
thi'^t) = 0{{Y,'lTi)hit + t\n'Pt) = 0(/31nt + tln^i)) = ©(iln^+^t). 

Case II: Otherwise, /3 = Yli=i'^i — (^{tln'^'^^ t). By Jensen's inequality for concave functions, for 
a concave function /, /(^ Yli=i '^i) — i Yli=i fi'^i)- Since /(r) = r'^'"^ is concave, it follows that 
ELi'^f"^ < HhT.Li'^i)'^'^ = k'^~'^{Yli=i'^i)^~^- Therefore, the total expected cost to p over 
k = 0{t) executions is ©((^^^^ rf"^) Int) + 0{t\n'^t) = 0{t^~^{^'^^^Ti)^~Hnt) +0(tln^t) = 
(9(^^(2-^) ^v-i lut + t In*^ t) = o{j3). Therefore, p's expected cost is less than that of the adversary. 

Substituting t = 0{r'^) into the above analysis yields the favourability result in the grid and, together, 
gives our result for the grid model in Theorem II. 3 1 □ 

Therefore, while the adversarial nodes incur a cost of /3, reUable broadcast is possible with each correct 
node incurring a cost of o(/3) for /3 sufficiently large; this yields Theorem 1 1.3 1 
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3.6.3 The Las Vegas Guarantee in Multi-Hop WSNs 

In addition to the rationale given in Section [T31 the Las Vegas property is also valuable in multi-hop sensor 
networks for the following reason. Let n be the number of devices within transmitting distance of a device, 
and let N be the total number of devices in the network. Monte Carlo protocols that succeed with high 
probability in n are possible. However, typically, n <^ N and messages will traverse a chain of multiple 
hops; consider il.{N) hops. Consider a failure probability for a single hop that is small, but non-zero, 
such as Q{n~^) for some constant c > 0, or even 0(2~"), then communication fails along the chain with 
constant probability. Alternatively, we might achieve protocols that succeed with high probability in N. 
However, in large networks, N may not be known a priori. Furthermore, achieving a high probability 
guarantee in N typically involves il(log A^) operations which, for large N , may be too costly. Therefore, 
by devising Las Vegas protocols, we avoid assumptions that are problematic given that n <^ N. 

We note that transmission over the wireless medium is subject to enw due to radio-iiTcgularity and 
gray-zone effects. Does this reduce the utility of our Las Vegas guarantee? In many cases, we argue 
that it does not. Under fair weather conditions, the percentage of successfully received packets is nearly 
100% up to a distance threshold exceeding 25 meters in the case of the MICA2D0T mote |l2l. Other 
experimental studies have shown that communication is reliable so long as the signal-to-interference-plus- 
noise-ratio exceeds a threshold value II63II64II ; therefore, using a transmission power above this thi^eshold 
yields reliable communication. Other experimental studies on the packet reception rate, which closely 
approximates the probability of successfully receiving a packet between two neighbouring nodes, is perfect 
up to a fixed distance [177 J . Therefore, for an appropriate transmission power in dense sensor networks, 
communication over the wireless medium should not undermine our Las Vegas guarantee. 

4 Application 2: Application-Level DDoS Attacks 

Typically in application-level DDoS attacks, a number of compromised clients, known collectively as a 
botnet, are employed to overwhelm a server with requests. These botnets have become commercialized 
with operators ("botmasters") renting out time to individuals for the purposes of launching attacks II23II39II . 

We assume a model of botnet attacks similar to that described by Walfish et al. ll69l . In this model, a 
request is cheap for a client to issue, expensive for the server to service, and all requests incur the same 
computational cost (heterogeneous requests can likely be handled as in ll69l ). There is a high-capacity 
communication channel and the crucial bottleneck is the server's inability to process a heavy request load. 

The client rate is g requests per second. The aggregate botnet rate is R requests per second and this is 
assumed to be both relatively constant and the botnet's maximum possible rate. If the server is overloaded, 
it randomly drops excess requests. In this case, the good clients only receive a fraction g/{g + R) of the 
server's resources; it is assumed that R^ g so that g/{g + R) is very small. 

Walfish et al. ll69l propose a protocol Speak-Up for resisting DDoS attacks by having clients increase 
their sending rate such that their aggregate bandwidth G is on the same order as that of R. Since botnet 
machines ai^e assumed to have already "maxed-out" their available bandwidth in attacking, Speak-Up 
greatly increases the chance that the server processes a legitimate request since G/{G + R) g/{g + R). 
A crucial component of Speak-Up is a front-end to the server called the "thinner" which controls which 
requests are seen by the server and asks a client to retry her request if it was previously dropped. Here, we 
apply our results for Case 2 to the interactions between the client and the thinner. 

Lastly, we note that there ai^e a number of questions that naturally arise when considering the scheme 
of Walfish et al. and our adaptation here. How will the increased traffic from the clients affect the overall 
performance of the network? For what size of botnet is this approach applicable? These questions, and 
many others, are addressed in the original paper by Walfish et al. ||69]| and we refer the interested reader to 
this work. 
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DoS-Resistant Client-Server Communication for round i > 2 
Send Phase: For each of the 2^* slots do 

• The client sends her request with probability 2/2*. 

• The server (via the thinner) admits listens with probability 2/2*. 
Nack Phase: 

• The server sends back the requested data. 

• The client listens. 

If the client receives her data, she terminates; otherwise, the thinner tells her to 
retry in the next round. 

Figure 10: Pseudocode for the application of Case 2 of our 3-Player Scenario to the client-server scenario. 
4.1 Our Protocol 

We employ Case 2 of our 3-Player Scenario Protocol to achieve a SFEAK-UF-like algorithm with 
provable guarantees. Bandwidth (upstream and downstream rates in bits per second) is our measure of cost 
and, as such, our results should be interpreted as quantifying the expected upstream bandwidth required 
by the client and the expected downstream bandwidth with which the server should be provisioned. Using 
bandwidth as a form of cuiTcncy has been previously employed by the research community ||291I61[|69]| . 
Our pseudocode is given in Figure [TOl 

Note that the Nack Phase is simplified due to the fact that attacks do not occur in this phase for Case 
2 of the 3-Player Scenario Protocol. Like 1691, our protocol is suitable for applications where 
there is no pre-defined clientele (so the server cannot traffic filter) and the clientele can be non-human (so 
"proof-of-humanity" tests cannot be relied upon solely). Unlike the wireless domain, we do not address 
reactive adversaries. Determining when a player is sending over the wire in order to control when its traffic 
arrives at the targeted player seems beyond the capability of a realistic attacker. 

The client plays the role of Alice where the message is a request; the server plays the role of Bob. 
This application falls into Case 2 ofTheorem ll.il a DDoS attack targets the server while communications 
from the server to the clients are not disrupted. The client and server are assumed to be synchronized 
such that they always agree on the current round and a maximum round number is set a priori. Such 
synchronization is certainly possible over Internet-connected machines and the maximum round value 
should be set to account for the level of DDoS resistance the participants wish to have; for most attacks, R 
is in the low hundreds of Mbits/second |[60l . We now provide an overview of our protocol. 
Send Phase: Each Send Phase occurs over a uniform and fixed duration A; for simplicity, we set A = 
1 second, and the slot length changes in each round appropriately. The client sends in each slot with 
probability 2/2* with an expected 2'"^^ upstream bits per second. The server listens in each slot with 
probability 2/2* for an expected 2*+^ downstream bits per second. If the received traffic substantially 
exceeds 2*+^, requests are dropped; probabilistic listening and traffic measurement on the server side can 
be performed by the thinner ||69l . 

Note that in each round, the client increases her sending rate in the Send Phase to "speak up". Any 
con^ect client that reaches its bandwidth limit remains at this limit for the duration of the protocol. When 
the maximum round number is reached, the clients maintain their sending rate until the thinner informs 
them that the attack has ended. For the purposes of analysis, a blocked slot occurs when Carol overwhelms 
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the server with requests and the client's request is dropped in that slot. Define a send-blocked phase as 
one where Carol blocks at least 2^Y2 slots; therefore, Carol uses an upstream bandwidth of at least 2^Y2 
bits per second. As in |[69l . if the thinner drops a request, it immediately asks the client to retry in the next 
round. 

Nack Phase: The server does not increase its sending rate per round (only the client speaks up) since there 
are no attacks in the Nack Phase for Case 2. This simplifies the Nack Phase as mentioned in Section |2] 
in our discussion of Nack Failures; the server simply returns the requested data to the cUent at some 
reasonable rate. 

We assume upstream and downstream bandwidth are capped; this is true of residential Internet packages, as 
well as hosted services. In the case of residential service, upstream bandwidth is scarcer than downstream 
bandwidth, while servers are generally well-provisioned for both; this can be reflected in our cost constants. 
By Case 2 of Theorem 1 1.1 1 we have: 

Corollary 4.1. If Carol uses bandwidth R to attack, then the client's request is eventually serviced, and 
the expected bandwidth (upstream and downstream) used by the client and the server is 0{R^'^). 

Bob can represent multiple good clients. We assume the same synchronization with the server; however, 
clients joining at different times are informed by the thinner of the current round. In order to be guaranteed 
some of the server's resources, the clients' expected aggregate bandwidth is G = Q.{R^-^). Therefore, our 
result quantifies the minimum expected aggregate upstream bandwidth for clients and the expected down- 
stream bandwidth for the server required to ensure that total censorship is averted; in contrast, Speak-Up 
cannot make such a guarantee. 

Of course, making it costly for the adversary to achieve an attack that results in zero throughput does 
not solve the problem of DDoS attacks by any means. Ideally, we would like to see a more result that 
quantifies cost versus performance more generally and this is an area for future work. However, we 
do point out that our result might be useful for applications where a critical update or warning must be 
disseminated, and delivery to even a handful of clients is sufficient since they may then share it with others 
(via multicast, peer-to-peer distribution, etc.). 

As with Speak-Up, the probability of legitimate request being serviced is still G/{G + R). In addi- 
tion to admitting an analysis, our iterative approach of geometrically increasing the aggregrate bandwidth 
should mitigate attempts by Carol at launching short duration DDoS attacks in order to provoke a steep 
and disruptive traffic increase from coiTcct clients. In the context of Section II. 4[ our protocol is fair in 
that the aggregate requirements of the bandwidth constrained clients is asymptotically equal to that of the 
well -provisioned server. Restating our result above in the context of multiple clients yields Theorem 1 1.41 

Finally, in order to achieve the same level of denial of service against a server that is defended by our 
protocol, Carol must procure a much larger botnet in order to obtain the necessary bandwidth; however, 
this comes at a cost. For example, one study found the cost of a single bot to be between $2 and $25 |[23l . 
Therefore, since Carol's bandwidth requirements increase quadratically, her monetary costs increase sig- 
nificantly with the use of our protocol. 

5 Conclusion 

We have examined an abstract model of conflict over a communication channel. In the 3-Player Scenario, 
we remark that there is an 0(1) up-front cost per execution of our protocol when there are no send- or 
nack-blocking attacks. Similarly, there are small up-front costs for our other favorable protocols. This is 
the (tolerable) price for communication in the presence of a powerful adversary, even if that adversary is 
not necessarily very active. The golden ratio arises naturally from our analysis, and its appeai^ance in this 
adversarial setting is interesting; an important open question is whether Q.{B^^^ + 1) cost is necessary. 
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Also of interest is determining whether there are resource-competitive algorithms for other types of 
problems. An interesting starting point might be the problem of conflict over dissemination of an idea in a 
social network, using the models of Kempe et al. [331 . Another challenge is whether or not more general 
and powerful results are possible regarding DDoS attacks in the client-server scenario. Finally, while we 
have applied resource-competitive analysis to fundamental communication scenarios, we are interested 
using this approach to address other problems from the ai^ea of distributed computing such as Byzantine 
agreement and consensus in the wired domain. 

Acknowledgements: We thank Martin Kai^sten, Srinivasan Keshav, and James Horey for their valuable 
comments. 
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